Wordfence has published two vulnerabilities that affect users of the Redux Framework plugin, which has more recently come to be know as the “Gutenberg Template Library & Redux Framework” on WordPress.org. Extendify purchased the plugin from its creator, Dōvy Paukstys, in November 2020, in a deal that was not highly publicized. It is currently active on more than 1 million …
Wordfence and WPScan Publish Mid-Year WordPress Security Report
WPScan is on track to post a record-breaking year for WordPress plugin vulnerabilities submitted to its database, according to a collaborative mid-year security report the company published with Wordfence. In the first half of 2021, WPScan has recorded 602 new vulnerabilities, quickly surpassing the 514 reported during all of 2020. The report is based on attack data from Wordfence’s platform …
Jetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update
Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version …
Patchstack Whitepaper: 582 WordPress Security Issues Found in 2020, Over 96% From Third-Party Extensions
Patchstack, which recently rebranded from WebARX, released its 2020 security whitepaper. The report identified a total of 582 security vulnerabilities. However, only 22 of the issues came from WordPress itself. Third-party plugins and themes accounted for the remaining 96.22%. “These are all security issues disclosed by the Patchstack internal research team, Patchstack Red Team community, by third-party security vendors, and …
Elementor Patches XSS Vulnerabilities Affecting 7 Million WordPress Sites
Elementor users who haven’t updated recently will want to get on the latest version 3.1.4 as soon as possible. Researchers at Wordfence disclosed a set of stored Cross-Site Scripting (XSS) vulnerabilities in the plugin to its authors in February, which was partially patched at that time and additional fixes were released the second week of March. Wordfence summarized the vulnerabilities in …
Attackers Continue to Exploit Vulnerabilities in The Plus Addons for Elementor Plugin
Last week, security researchers at Seravo and WP Charged reported a critical zero-day vulnerability in The Plus Addons for Elementor on March 8, 2021. WPScan categorized it as an authentication bypass vulnerability: The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the …
Contact Form 7 Version 5.3.2 Patches Critical Vulnerability, Immediate Update Recommended
Contact Form 7 has patched a critical file upload vulnerability in version 5.3.2, released today by plugin author Takayuki Miyoshi. The plugin is installed on more than five million WordPress sites. “An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions,” Miyoshi said. “Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s …
Easy WP SMTP 1.4.3 Patches Sensitive Data Disclosure Vulnerability
Easy WP SMTP has patched a vulnerability that allows attackers to capture the password reset link from the plugin’s debug log file and gain unauthorized access to the site. The plugin is used by more than 500,000 WordPress sites to configure and send all outgoing emails via a SMTP server so they are less likely to end up in recipients’ …
All in One SEO Pack Plugin Patches XSS Vulnerability
All in One SEO Pack patched an XSS vulnerability this week that was discovered by the security researchers at Wordfence on July 10. The popular plugin has more than 2 million active installs, according to WordPress.org. Wordfence researchers categorized it as “a medium severity security issue” that could result in “a complete site takeover and other severe consequences:” This flaw …
Google Patches Critical Vulnerability in Site Kit Plugin
In late April Wordfence discovered a critical vulnerability in Google’s Site Kit plugin for WordPress that would make it possible for any user on the site to gain full access to the Google Search Console without verifying ownership. Google patched the vulnerability and released the fix in version 1.8.0 on May 7, 2020. Wordfence published a timeline of the vulnerability, …