Password Policies Manager Plugin Update 1.2 – Support For Custom Login Pages
Today we announce Password Policy Manager for WordPress update 1.2, the plugin that enables administrators to enforce strong WordPress passwords. The highlight of this update is a new hook that allows theme developers to include the password policies in custom pages. In this update we have also included a few minor improvements and enhancements. Support for custom WordPress login & user profile pages When users’ change or reset their passwords the plugin shows them the requirements their passwords have to meet. Users cannot change their password if it does not meet the requirements. This works out of the box when […]

Introducing the Wordfence Login Security Plugin
Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it. Wordfence Login Security is designed by our team to secure your login and authentication system. It’s worth noting that this plugin does not include the firewall, malware scanner and other features that the full Wordfence plugin comes with. If you already have an alternative firewall solution in place and are covered for malware scanning, then […]

Service Vulnerability: Four Popular Hosting Companies Fix NFS Permissions and Information Disclosure Problems
Last year, we published two disclosures of service vulnerabilities on hosting platforms. The first one included a trio of brands: Hostway, Momentous, and Paragon Group. The second was for MelbourneIT. In all cases, we were happy to report that the affected companies took our disclosures seriously and moved quickly to fix the problems. Today we’re announcing a similar disclosure for several brands owned by Endurance International Group, including iPage, FatCow, PowWeb, and NetFirms. A pair of vulnerabilities on these platforms allowed attackers to tamper with customers’ databases directly, without actually accessing their websites. Following our Vulnerability Disclosure Policy, we privately […]

Hustle <= 6.0.7 – Unauthenticated CSV Injection

Paid Memberships Pro <= 2.0.5 – Authenticated Open Redirect

WordPress Vulnerability Roundup – End of May 2019
New WordPress plugin vulnerabilities have been disclosed this month. We divide the WordPress Vulnerability Roundup into four different categories: 1. WordPress core 2. WordPress Plugins 3. WordPress Themes 4. Breaches From Around the Web *We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site. WordPress Vulnerabilities There haven’t been any disclosed WordPress vulnerabilities in 2019. WordPress Plugin Vulnerabilities 1. […]

Episode 18: Scaling a WordPress Agency with Entrepreneur Verious Smith
At WordCamp Orange County, Mark interviewed Verious Smith from Philoveracity Design, a digital agency in southern California. Verious has also been the lead organizer of WordCamp Riverside and runs WordPress meetups to give back to the community. Mark and Verious talk about the challenges of entrepreneurship, growing from freelancer to an agency, and trust and interdependence in remote work. Verious is always striving to learn new things to optimize performance and improve workflow. We hope you enjoy the interview and get as much inspiration from Verious as we did. Find us on your favorite app or platform including iTunes, Google […]

Podcast Episode 17: 3 Severe WordPress Plugin Vulnerabilities
Mikey Veenstra joins us to talk about three WordPress plugins with severe vulnerabilities affecting well over 150,000 WordPress installations. Two plugins have been patched, one has not. With Mark under deadline for a film project, Mikey also talks some security news with Kathy. We cover a Docker vulnerability, anatomy of a SIM port attack, zero-day Windows exploits released by a disgruntled security researcher, two large scale data leaks affecting millions of people, and revisit the Baltimore ransomware problem and how the NSA’s Eternal Blue tool was used in the attack. Here are approximate timestamps in case you want to jump […]

Critical Vulnerability Patched in Popular Convert Plus Plugin
Description: Unauthenticated Administrator CreationCVSS v3.0 Score: 10.0 (Critical)CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAffected Plugin: Convert PlusPlugin Slug: convertplugAffected Versions: <= 3.4.2Patched Version: 3.4.3 On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts. We disclosed this issue privately to the plugin’s development team, who released a patch just a few days later. Convert Plus (formerly convertplug) versions up to 3.4.2 are vulnerable to attacks against this flaw. All […]

Event Management Tickets Booking By Event Monster <= 1.0.5 – Stored XSS