On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over 100,000[…]
WordPress security veterans Rob Cairns and Robert Rowley have a great conversation on building sites for WooCommerce while keeping them secure.
Check out this breaking news where thousands of WordPress sites were hacked and redirected to scam sites. Find out how it happened and what can be done.
Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with[…]
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000[…]
Elementor has patched a critical Remote Code Execution vulnerability that was discovered by threat analyst Ramuel Gall from Wordfence on March 29, 2022. Wordfence disclosed the vulnerability to Ele…
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over[…]
Advanced Custom Fields (ACF) recently patched a missing authorization vulnerability in version 5.12.1 that potentially affects more than a million users. The security issue was discovered by Keitar…
Update – after this article was published, Denis Shagimuratov of CleanTalk reached out to us on Twitter. It appears that they didn’t receive our disclosure because our contact at the[…]
A Patchstack security advocate digs into the data behind the statistics in their latest report, and explains how the organization helps plugin developers secure their software.
Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. This has been an ongoing campaign for multiple years. Payload domains are regularly[…]
Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost,[…]
Sloppy statistics and sketchy incentives are damaging WordPress’s security reputation, even though the core software keeps getting better.
Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well[…]