Security_Guy

XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce

December 1, 2021 by Chloe Chamberland

Chloe Chamberland

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Variation Swatches for WooCommerce”, a WordPress plugin that…

Continue Reading

WooCommerce Extension – Reflected XSS Vulnerability

November 17, 2021 by Chloe Chamberland

Chloe Chamberland

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On November 1, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that…

Continue Reading

Fixing Recent Validation Vulnerabilities in OctoRPKI

November 12, 2021 by David Haynes

David Haynes

A number of vulnerabilities in Resource Public Key Infrastructure (RPKI) validation software were disclosed in a recent NCSC advisory, discovered by researchers from the University of Twente. These attacks abuse a set of assumptions that are common across multiple RPKI implementations, and some of these issues were discovered within OctoRPKI.…

Continue Reading

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

November 11, 2021 by Ram Gall

Ram Gall

On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”, but we are referring to…

Continue Reading

Vulnerability in WP DSGVO Tools (GDPR) Plugin Allows Unauthenticated Page Deletion

November 2, 2021 by Ram Gall

Ram Gall

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On September 27, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability we found in WP DSGVO Tools (GDPR), a WordPress plugin with over…

Continue Reading

Hiding Vulnerabilities in Source Code

November 1, 2021November 1, 2021 by Bruce Schneier

Bruce Schneier

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about. From Ross Anderson’s blog: We have discovered ways of manipulating the encoding of source code files so that…

Continue Reading

XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites

October 28, 2021 by Ram Gall

Ram Gall

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress…

Continue Reading

1,000,000 Sites Affected by OptinMonster Vulnerabilities

October 27, 2021 by Chloe Chamberland

Chloe Chamberland

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000…

Continue Reading

Site Deletion Vulnerability in Hashthemes Plugin

October 26, 2021 by Ram Gall

Ram Gall

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 25, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations. This…

Continue Reading

Vulnerability Patched in Sassy Social Share Plugin

October 20, 2021 by Chloe Chamberland

Chloe Chamberland

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. In 2010, Steffan Esser gave a presentation in Las Vegas that rocked the PHP world. He had discovered a new kind of vulnerability that today we call a…

Continue Reading

The Missouri Governor Doesn’t Understand Responsible Disclosure

October 18, 2021October 15, 2021 by Bruce Schneier

Bruce Schneier

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state. […]…

Continue Reading

Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

October 13, 2021 by Ram Gall

Ram Gall

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites. During…

Continue Reading

Helping Apache Servers stay safe from zero-day path traversal attacks (CVE-2021-41773)

October 8, 2021 by Michael Tremante

Michael Tremante

On September 29, 2021, the Apache Security team was alerted to a path traversal vulnerability being actively exploited (zero-day) against Apache HTTP Server version 2.4.49. The vulnerability, in some instances, can allow an attacker to fully compromise the web server via remote code execution (RCE) or at the very least…

Continue Reading

High Severity Vulnerability Patched in Access Demo Importer Plugin

October 6, 2021 by Chloe Chamberland

Chloe Chamberland

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List. On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress…

Continue Reading

PHP_SELFish Part 2 – Reflected XSS in Easy Social Icons

September 29, 2021 by Ram Gall

Ram Gall

Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the PHP_SELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of PHP_SELF. On August…

Continue Reading