WordPress 5.4 Beta 3

WordPress 5.4 Beta 3 is now available! This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version. You can test the WordPress 5.4 beta in two ways: Try the WordPress Beta Tester plugin (choose “bleeding edge nightlies” or “Beta/RC – Bleeding edge” option in version 2.2.0 or later of the plugin) * you must already have updated to your site to “bleeding edge nightlies” for the “Beta/RC – Bleeding edge” option to be available Or download the beta here (zip). WordPress 5.4 is slated […]

Pricing Table by Supsystic < 1.8.1 – Cross-Site Request Forgery to XSS and Setting Changes


Pricing Table by Supsystic < 1.8.2 – Unauthenticated Stored XSS


Pricing Table by Supsystic < 1.8.2 – Insecure Permissions on AJAX Actions


Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin

On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness. Attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access pricing table data, and forge requests on behalf of a site administrator because of a Cross-Site Request Forgery (CSRF) vulnerability. These vulnerabilities could allow attackers the ability to run malicious Javascript on a visitor’s browser that could redirect site visitors to malicious websites, or […]

Envira Photo Gallery < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS) Issue


Photo Gallery < 1.5.46 – Multiple Cross-Site Scripting (XSS) Issues


Why does my WordPress site keep getting hacked?

The bitter reality The reason why I decided to write this article is that many times our clients have found themselves in total despair and frustration when their WordPress site keeps getting hacked. Hacks such as the Japanese Keyword Hack or the Malware Redirect hack can break a WordPress site once. However, if you are not careful with your WordPress site, these hacks might reappear. Truth be told, the psychological and financial burden of a WordPress site that keeps getting hacked is massive and it can take a great toll on the user, the brand, the service. And those users […]

Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities

As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress. Recently, we’ve been tracking malicious activity targeting several vulnerabilities recently patched in popular plugins. In today’s post, we’ll provide details of our research into two active campaigns. We’ll also share some common indicators of compromise (IOCs) that can help you assess whether your site was impacted by these attacks. Wordfence malware scans will identify these IOCs and their variants on systems with the plugin installed, but we include them to help administrators and researchers better approach this data at […]

Ultimate Membership Pro < 8.7 – Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation