Below you'll find a list of all posts that have been tagged as “security”
After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team. “This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list of those 404 vulnerabilities to …
If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following: a POST-based reflected XSS (7.6 CVSS 3.1 score) a broken access control on form submissions export feature that allows Subscriber …
All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0. In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days ago, @c0ntr07 reported the issue: …
Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites. “MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said. “Requests are authentication by comparing a shared secret stored as plaintext in the WordPress …
Really Simple SSL, a popular plugin used on more than five million sites for installing SSL certificates, handling website migrations, mixed content, redirects, and security headers, has added a new feature in its most recent major update. Version 7.0.0 introduces vulnerability detection as part of a partnership with WP Vulnerability, an open source, free API created by Javier Casares with …
WordPress 6.2.2 was released early this morning as a rapid follow-up to 6.2.1, which introduced a bug that broke shortcode support in block templates. Version 6.2.1 was also an important security release, but due to the catastrophic breakage for those using shortcodes in block templates, some users were implementing insecure workarounds or simply downgrading to 6.2 to keep critical functionality …
WordPress 6.2.1 was released today. Those with automatic background updates enabled should see a notice in their email, as updates rolled out earlier today. This is a maintenance and security release that includes important fixes for five security vulnerabilities outlined by core contributor and release co-lead Jb Audras: Block themes parsing shortcodes in user generated data A CSRF issue updating …
Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited. Muhammad outlined the vulnerability …
Advanced Custom Fields (ACF) has patched a reflected XSS vulnerability that affects versions 6.1.5 and below of ACF and ACF Pro, potentially impacting more than 2+ million users. It was discovered by Patchstack researcher Rafie Muhammad in May 2, 2023, and patched by ACF developers in version 6.1.6 on May 5, 2023. Patchstack published a security bulletin and Muhammad described the …
WooCommerce Payments, a plugin that allows WooCommerce store owners to accept credit and debit card payments and manage transactions inside the WordPress dashboard, has patched an Authentication Bypass and Privilege Escalation vulnerability with a 9.8 (Critical) CVSS score. The plugin is active on more than 500,000 websites. Beau Lebens, WooCommerce’s Head of Engineering, published an advisory about the vulnerability today, …
