Happening Now: Over 2 Percent of Sites Using a Let’s Encrypt TLS Certificate May Throw Security Warnings

On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug. This is 2.6% of the over 116 million active certificates issued by Let’s Encrypt. Let’s Encrypt has contacted all certificate holders affected by this bug, and they’ve created a tool and a list of serial numbers to determine if your TLS certificate is affected by the bug. Let’s Encrypt have not set an exact time for revocation of the certificates, however, they say that the earliest timeframe will be UTC 00:00. Some certificate […]

COVID-19 and WordPress Community Engagement in 2020

This is an update regarding Wordfence’s community engagement in 2020 along with a recommendation for WordCamps globally and for the global WordPress community. As always, I’m taking a data-driven approach to this post. I present an update from the WHO regarding the containment of COVID-19 in China and what has worked. I then discuss what Wordfence is doing and my recommendations for the global WordPress community for 2020. The World Health Organization recently released a report regarding COVID-19 in China. They sent an international team to investigate. The Joint Mission was implemented over a 9-day period from 16-24 February 2020. […]

Episode 68: More Plugin Vulnerabilities and Active Attack Campaigns

This week, we review numerous plugin vulnerabilities in popular WordPress plugins and the attacks that are targeting them. We also review the Duplicator vulnerability affecting over 1 million sites, and Chloe Chamberland’s discovery of multiple vulnerabilities in the Pricing Table by Supsystic plugin. Some WordPress-focused companies, Elementor and Strattic, receive venture funding. We also ask lead customer support engineer Tim Cantrell about the different ways to use Wordfence settings for brute force protection, blocking IP addresses, and how to prevent alert fatigue. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 1:10 […]

Episode 67: Avoiding Common Vulnerabilities When Developing WordPress Plugins

Almost every week, a new vulnerability is discovered in a popular WordPress plugin or theme, leaving developers scrambling to fix it before it’s widely exploited. Surprisingly, almost all critical vulnerabilities boil down to a few common mistakes. In this talk from WordCamp Phoenix, Ramuel Gall reviews these common errors and provides advice on creating secure plugins. Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast. Click here to download an MP3 version of this podcast. Subscribe to our RSS feed. You can find Ram on Twitter as @ramuelgall. Please feel free to […]

Site Takeover Campaign Exploits Multiple Zero-Day Vulnerabilities

Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings. As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this campaign. The targeted plugins were Async JavaScript, Modern Events Calendar Lite, and 10Web Map Builder for Google Maps. At this time, we have reached out to each plugin’s development team in hopes of getting these issues resolved quickly. This attack campaign exploits XSS vulnerabilities in the above […]

Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin

On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness. Attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access pricing table data, and forge requests on behalf of a site administrator because of a Cross-Site Request Forgery (CSRF) vulnerability. These vulnerabilities could allow attackers the ability to run malicious Javascript on a visitor’s browser that could redirect site visitors to malicious websites, or […]

Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities

As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress. Recently, we’ve been tracking malicious activity targeting several vulnerabilities recently patched in popular plugins. In today’s post, we’ll provide details of our research into two active campaigns. We’ll also share some common indicators of compromise (IOCs) that can help you assess whether your site was impacted by these attacks. Wordfence malware scans will identify these IOCs and their variants on systems with the plugin installed, but we include them to help administrators and researchers better approach this data at […]

Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX

It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe. We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report. At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn […]

Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites

Description: Unauthenticated Arbitrary File DownloadAffected Plugin: DuplicatorAffected Versions: <= 1.3.26CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NPatched Version: 1.3.28 A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. We urge all Duplicator users to update to version 1.3.28 as soon as possible. We are detecting active exploitation of this vulnerability in the wild, and estimate more than half a million sites are still running a vulnerable version. Built-in firewall protection prevents these attacks […]

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild

Description: Remote Code ExecutionAffected Plugin: ThemeREX AddonsAffected Versions: Versions greater than 1.6.50CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPatched Version: Currently No Patch. Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts. At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a […]