Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access

On April 21st, our Threat Intelligence team discovered a vulnerability in Site Kit by Google, a WordPress plugin installed on over 300,000 sites. This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin. We filed a security issue report with Google on April 21, 2020. A patch was released a few weeks later on May 7, 2020. This is considered a critical security issue that could lead to attackers obtaining owner access to your site in Google Search Console. Owner access allows an attacker […]

One Attacker Outpaces All Others

Starting April 28th, we saw a 30 times increase in cross site scripting attack volume, originating from a single attacker, and targeting over a million WordPress sites. We published research detailing the threat actor and attack volume increase on May 5th. By the time we published, the attack volume had dropped back down to baseline levels. As of May 11, 2020, attacks by this same threat actor have once again ramped up, and are ongoing. This attacker has now attacked over 1.3 million sites in the past month. As of May 12, 2020, attacks by this threat actor have outpaced […]

Vulnerabilities Patched in Page Builder by SiteOrigin Affects Over 1 Million Sites

On Monday, May 4, 2020, the Wordfence Threat Intelligence team discovered two vulnerabilities present in Page Builder by SiteOrigin, a WordPress plugin actively installed on over 1,000,000 sites. Both of these flaws allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed. We first contacted the plugin developer on May 4, 2020. After establishing an appropriate communication channel, we provided the full disclosure later that day. The […]

Nearly a Million WP Sites Targeted in Large-Scale Attacks

Our Threat Intelligence Team has been tracking a sudden uptick in attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began on April 28, 2020 and increased over the next few days to approximately 30 times the normal volume we see in our attack data. The majority of these attacks appear to be caused by a single threat actor, based on the payload they are attempting to inject – a malicious JavaScript that redirects visitors and takes advantage of an administrator’s session to insert a backdoor into the theme’s header. After further investigation, we found that this threat actor was also attacking other […]

Episode 75: The WordPress 5.4.1 Security Release & More Plugin Vulnerabilities

The Wordfence Threat Intelligence team unpacked the security updates in WordPress 5.4.1, and they published quite a few blog posts about vulnerabilities in popular plugins like Ninja Forms, LearnPress, and the Real-Time Find and Replace plugin. These plugin vulnerabilities affected over one million WordPress sites. As a few of these were Cross Site Request Forgery vulnerabilities, so we take a look at how these attacks work and how to avoid becoming a victim to a malicious CSRF request. We also look at more scams targeting COVID-19 fears and stimulus funds, and Google’s upcoming crackdown on Chrome extensions set to happen […]

Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update

WordPress Core version 5.4.1 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that appear to require specific circumstances to exploit. All in all this release contains 7 security fixes, 5 of which are XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.   A Breakdown of each security issue Password reset tokens failed to be […]

High-Severity Vulnerabilities Patched in LearnPress

On March 16, 2020, LearnPress – WordPress LMS Plugin, a WordPress plugin with over 80,000 installations, patched a high-severity vulnerability that allowed subscriber-level users to elevate their permissions to those of an “LP Instructor”, a custom role with capabilities similar to the WordPress “author” role, including the ability to upload files and create posts containing unfiltered HTML, both of which could be used as part of an exploit chain allowing site takeover. Our Threat Intelligence team analyzed the vulnerability in order to create a firewall rule to protect Wordfence customers. In the process, we discovered two additional vulnerabilities. One of […]

High Severity Vulnerability Patched in Real-Time Find and Replace Plugin

On April 22, 2020, our Threat Intelligence team discovered a vulnerability in Real-Time Find and Replace, a WordPress plugin installed on over 100,000 sites. This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email. We reached out to the plugin developer on April 22, 2020, and they released a patch just a few hours after we disclosed the vulnerability to them. This is considered a high-severity security issue, therefore we strongly recommend an immediate update […]

Episode 74: Staying Safe When Hackers Use Sophisticated Attacks

Stories this week about targeted attacks using 0days in iPhone and iPad devices and a sophisticated phone scam targeting a security professional that ended with a $9,800 wire transfer underscore what we all know: malicious attacks are becoming increasingly sophisticated. We give you some ideas how to stay safe. We also cover a recent plugin vulnerability in the MapPress Maps plugin affecting over 80,000 WordPress sites, Google’s report that they’re seeing more than 18 million daily malware and phishing emails. We also cover the recent funding that Frontity received, and look at what this might mean for faster WordPress sites. […]

Critical Vulnerabilities Patched in MapPress Maps Plugin

On April 1, 2020, the Wordfence Threat Intelligence Team discovered two vulnerabilities in MapPress Maps for WordPress, a WordPress plugin with over 80,000 installations. One vulnerability that allowed stored Cross-Site Scripting (XSS) was present in both the free and pro versions of the plugin, while a far more critical vulnerability that allowed Remote Code Execution (RCE) was present in the pro version. We reached out to the plugin’s author the next day, April 2, 2020 and received a response within a few hours. A patched version of both MapPress Free and MapPress Pro were released within hours. We strongly recommend […]