PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons

https://www.wordfence.com/blog/2021/09/php_selfish-part-2-reflected-xss-in-easy-social-icons/

Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of PHP_SELF. On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations. After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. An initial patch, […]

PHP_SELFish Part 1 – Reflected XSS in underConstruction Plugin

https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin/

Today’s post is part one of a two part blog post. It describes a cross site scripting vulnerability that exploits the PHP_SELF variable. Tomorrow we will publish part two, which describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF. So be sure to look out for that post via our mailing list, which you can join on this page, in case you’re not already a member. On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations. After […]

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninja-forms-plugin-affects-over-1-million-site-owners/

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users. Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021. We sent the full disclosure details […]

Terms of Use Violation

https://www.wordfence.com/blog/2021/09/terms-of-use-violation/

Wordfence is used by millions of free and paid customers around the world to secure their WordPress websites. We serve a broad range of customers across the globe, from diverse cultures, with diverse backgrounds, and who have diverse political views. As an organization, Defiant, the company that makes Wordfence, believes that everyone has the right to being secure and feeling secure. Our Terms of Use specifically include language that prevents the use of our product to harass another person or entity. The language reads as follows: “You agree not to use the Service in any way that would interfere with […]

Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/

On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration. The plugin’s publisher, Redux.io, replied almost immediately to our initial contact and we provided full disclosure the same day, on August 3, 2021. […]

Nested Pages Patches Post Deletion Vulnerability

https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability/

On August 13, 2021, the Wordfence Threat Intelligence team responsibly disclosed two vulnerabilities in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering. These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability. The plugin author responded to our disclosure immediately and released a patched version of the plugin, version 3.1.16, a few hours later. Due to the nature of Cross-Site Request […]

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce/

On July 30, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in Booster for WooCommerce, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the plugin. Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on July 30, 2021. Sites still using the free version of Wordfence will receive the same protection on August 29, 2021. We initially reached out to the plugin vendor […]

XSS Vulnerability Patched in SEOPress Affects 100,000 sites

https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites/

On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page. Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on July 29, 2021. Sites still using the free version of Wordfence will receive the same protection on August 28, 2021. We initially reached out to the […]

WordPress Malware Camouflaged As Code

https://www.wordfence.com/blog/2021/08/wordpress-malware-camouflaged-as-code/

In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. We describe how this technique works, and we touch on the psychological underpinnings of the technique the attacker is using. Wordfence detects the malware that is described in this post, even though it may be missed by a human security analyst doing a manual inspection. We have […]

2021 Mid-Year WordPress Security Report: A Collaboration Between Wordfence and WPScan

https://www.wordfence.com/blog/2021/08/2021-mid-year-wordpress-security-report-a-collaboration-between-wordfence-and-wpscan/

Wordfence has collaborated with WPScan to conduct a 2021 mid-year review on the state of WordPress security. Using attack data from Wordfence’s internal threat intelligence platform, and vulnerability data from WPScan’s vulnerability database, we were able to analyze the current trend of attacks on WordPress and assess the current state of WordPress-based software security. In the first half of 2021, we saw continuous growth in attacks targeting WordPress plugin and theme vulnerabilities alongside an increase in password-based attacks. This indicates that attackers have been ramping up their efforts in targeting WordPress sites this year. Further, WPScan recorded more new vulnerabilities […]