Patchstack, a WordPress security maintenance and management tool, has published its “State of WordPress Security” whitepaper for 2022, tracking a few key metrics on publicly reported vulnerabilities. The findings highlight the risk of using unmaintained themes and plugins along with developers’ need to keep pace with updates to libraries and dependencies included in their work. Patchstack is tracking a significant …
WordPress Versions 3.7-4.0 No Longer Get Security Updates
In September, WordPress’ Security Team announced it would be dropping support for versions 3.7 through 4.0 by December 1, 2022. Yesterday the final releases for these versions (3.7.41, 3.8.41, 3.9.40, and 4.0.38) were made available to the very small percentage of users who are running ancient versions of WordPress. As part of the final releases, the upgrade notification now informs …
iThemes Patches Vulnerability in BackupBuddy, Wordfence Tracks 5 Million Exploit Attempts
BackupBuddy, a commercial plugin from iThemes that performs scheduled backups with remote storage options, has patched a vulnerability that allowed for arbitrary file download by unauthenticated users. iThemes published an advisory for its users, indicating that the vulnerability affects versions 8.5.8.0 through 8.7.4.1 and is being actively exploited. Wordfence reviewed its data and found that attackers began targeting this vulnerability …
WordPress.org Forces Security Update for Critical Ninja Forms Vulnerability
Late last week, Ninja Forms users received a forced security update from WordPress.org for a critical PHP Object Injection vulnerability. This particular vulnerability can be exploited remotely without any authentication. It was publicly disclosed last week and patched in the latest version, 3.6.11. Patches were also backported to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, and 3.5.8.4. Wordfence noticed a back-ported …
Patchstack Whitepaper: WordPress Ecosystem Records 150% Increase in Security Vulnerabilities in 2021
Patchstack has published its State of WordPress Security whitepaper with a summary of threats to the WordPress ecosystem recorded in 2021. The whitepaper aggregates data from multiple sources, including the Patchstack Vulnerability Database, the Patchstack Alliance (the company’s bug bounty platform), and publicy reported CVEs from other sources. In 2021, Patchstack recorded nearly 1,500 vulnerabilities, a 150% increase as compared …
UpdraftPlus 1.22.3 Patches Severe Vulnerability Through Forced Security Update from WordPress.org
UpdraftPlus, a plugin that allows users to backup to various cloud providers, has patched a severe security vulnerability that would allow logged-in users to download a site’s latest backups. The patched version (1.22.3) was sent out via a forced auto-update, a measure reserved for severe vulnerabilities that affect a large number of users. UpdraftPlus is active on more than 3 million …
Essential Addons for Elementor Patches Critical Security Vulnerability
Essential Addons for Elementor, a popular plugin with more than a million active installs, has patched a critical vulnerability that would allow for a local file inclusion attack. The vulnerability was discovered by security researcher Wai Yan Myo Thet and reported to Patchstack on January 25, 2022. Patchstack customers received a virtual patch the same day. The issue was already …
All In One SEO Plugin Patches Severe Vulnerabilities
The All In One SEO plugin has patched a set of severe vulnerabilities that were discovered by the Jetpack Scan team two weeks ago. Version 4.1.5.3, released December 8, includes fixes for a SQL Injection vulnerability and a Privilege Escalation bug. Marc Montpas, the researcher who discovered the vulnerabilities, explained how they could be exploited: If exploited, the SQL Injection …
GoDaddy Data Breach Exposes 1.2 Million Active and Inactive Managed WordPress Hosting Accounts
In a disclosure to the U.S. Securities and Exchange Commission (SEC) that was published today, GoDaddy announced a data security breach impacting its WordPress managed hosting customers. The company discovered unauthorized third-party access to its hosting environment on November 17, 2021, through an exploited vulnerability. GoDaddy’s initial investigations show the attacker gained access using a compromised password beginning on September …
WP Fastest Cache Patches Authenticated SQL Injection and Stored XSS Via CSRF Vulnerabilities
The Jetpack Scan team has published a summary of two issues recently discovered in the WP Fastest Cache plugin – an Authenticated SQL Injection vulnerability and a Stored XSS Via CSRF vulnerability. “If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords),” Automattic security research engineer Marc Montpas …