Your WordPress News Dashboard

Vulnerabilities Patched in IMPress for IDX Broker - Wordfence Blog

On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using… Continue Reading →

Vulnerabilities Patched in the Data Tables Generator by Supsystic Plugin - Wordfence Blog

A few weeks ago, we disclosed several flaws that were patched in the Pricing Table by Supsystic plugin. On January 20th, our Threat Intelligence team discovered several similar vulnerabilities present in another product from Supsystic: Data Tables Generator by Supsystic,… Continue Reading →

Severe Flaws Patched in Responsive Ready Sites Importer Plugin - Wordfence Blog

On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX… Continue Reading →

Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites - Wordfence Blog

On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed… Continue Reading →

Vulnerability Patched in Import Export WordPress Users - Wordfence Blog

On February 26th, our Threat Intelligence team discovered a vulnerability in Import Export WordPress Users, a WordPress plugin installed on over 30,000 sites. The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file,… Continue Reading →

Zero-Day Vulnerability in ThemeREX Addons Now Patched - Wordfence Blog

On February 18th, we were alerted to a vulnerability present in ThemeREX Addons, a WordPress plugin installed on approximately 44,000 sites. We took immediate action to release a firewall rule to protect Wordfence Premium users. As this vulnerability was being… Continue Reading →

Active Attack on Zero Day in Custom Searchable Data Entry System Plugin - Wordfence Blog

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion,… Continue Reading →

Multiple Vulnerabilities Patched in RegistrationMagic Plugin - Wordfence Blog

On February 24th, our Threat Intelligence team discovered several critical vulnerabilities in RegistrationMagic, a WordPress plugin installed on over 10,000 sites, including the vendor’s own site. These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those… Continue Reading →

Coupon Creation Vulnerability Patched In WooCommerce Smart Coupons - Wordfence Blog

Description: Unauthenticated Coupon CreationAffected Plugin: WooCommerce Smart CouponsAffected Plugin Slug: woocommerce-smart-couponsAffected Versions: <= 4.6.0CVSS Score: 5.3 (Medium)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NPatched Version: 4.6.5 Late last month a patch was released for WooCommerce Smart Coupons, a commercial WooCommerce plugin that helps store managers handle… Continue Reading →

Site Takeover Campaign Exploits Multiple Zero-Day Vulnerabilities - Wordfence Blog

Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings. As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional… Continue Reading →

Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin - Wordfence Blog

On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness…. Continue Reading →

Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites - Wordfence Blog

Description: Unauthenticated Arbitrary File DownloadAffected Plugin: DuplicatorAffected Versions: <= 1.3.26CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NPatched Version: 1.3.28 A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress… Continue Reading →

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild - Wordfence Blog

Description: Remote Code ExecutionAffected Plugin: ThemeREX AddonsPlugin Slug: trx_addonsAffected Versions: Versions greater than 1.6.50CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPatched Version: Currently No Patch. Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a… Continue Reading →

Vulnerability in wpCentral Plugin Leads to Privilege Escalation - Wordfence Blog

Description: Improper Access Control to Privilege EscalationAffected Plugin: wpCentralAffected Versions: <= 1.5.0CVE ID: CVE-2020-9043CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPatched Version: 1.5.1 On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000… Continue Reading →

Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover - Wordfence Blog

Description: Unauthenticated Administrator RegistrationAffected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected)Affected Versions: <= 3.1.0CVSS Score: 10.0 (Critical)CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPatched Version: 3.1.1 Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress. This vulnerability affected… Continue Reading →

Improper Access Controls in GDPR Cookie Consent Plugin - Wordfence Blog

Description: Improper Access ControlsAffected Plugin: GDPR Cookie ConsentAffected Versions: <= 1.8.2CVSS Score: 9.0 (Critical)CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HPatched Version: 1.8.3 The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged… Continue Reading →

© 2020 WP News Desk — Powered by WordPress and WP RSS Aggregator | Hosted by WP Engine

Up ↑