Wordfence and WPScan Publish Mid-Year WordPress Security Report

WPScan is on track to post a record-breaking year for WordPress plugin vulnerabilities submitted to its database, according to a collaborative mid-year security report the company published with Wordfence. In the first half of 2021, WPScan has recorded 602 new vulnerabilities, quickly surpassing the 514 reported during all of 2020. The report is based on attack data from Wordfence’s platform …

Jetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update

Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version …

Patchstack Whitepaper: 582 WordPress Security Issues Found in 2020, Over 96% From Third-Party Extensions

Patchstack, which recently rebranded from WebARX, released its 2020 security whitepaper. The report identified a total of 582 security vulnerabilities. However, only 22 of the issues came from WordPress itself. Third-party plugins and themes accounted for the remaining 96.22%. “These are all security issues disclosed by the Patchstack internal research team, Patchstack Red Team community, by third-party security vendors, and …

Elementor Patches XSS Vulnerabilities Affecting 7 Million WordPress Sites

Elementor users who haven’t updated recently will want to get on the latest version 3.1.4 as soon as possible. Researchers at Wordfence disclosed a set of stored Cross-Site Scripting (XSS) vulnerabilities in the plugin to its authors in February, which was partially patched at that time and additional fixes were released the second week of March. Wordfence summarized the vulnerabilities in …

Attackers Continue to Exploit Vulnerabilities in The Plus Addons for Elementor Plugin

Last week, security researchers at Seravo and WP Charged reported a critical zero-day vulnerability in The Plus Addons for Elementor on March 8, 2021. WPScan categorized it as an authentication bypass vulnerability: The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the …

Contact Form 7 Version 5.3.2 Patches Critical Vulnerability, Immediate Update Recommended

Contact Form 7 has patched a critical file upload vulnerability in version 5.3.2, released today by plugin author Takayuki Miyoshi. The plugin is installed on more than five million WordPress sites. “An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions,” Miyoshi said. “Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s …

All in One SEO Pack Plugin Patches XSS Vulnerability

All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to WordPress.org. Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:” This flaw …