Wrap Up the Year with the Biggest Scope and Rewards Yet: Join the Wordfence Bug Bounty Program End of Year Holiday Extravaganza!

The holidays are here, and so is your chance to earn big while helping secure the WordPress ecosystem! For all submissions to our Bug Bounty Program from November 12, 2024, to December 9, 2024 , we’re rolling out our End of Year Holiday Extravaganza promotion to give back to our security...

WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site. Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive...

5,000 WordPress Sites Affected by Unauthenticated Remote Code Execution Vulnerability in JS Help Desk WordPress Plugin

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack

On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin see post Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins. After adding the malicious code to our...

Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution

Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution Date: 2024-04-16 Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL Vendor Homepage: https://wordpress.org Software Link:...

Cross site request forgery (csrf)

The Car Dealer Dealership and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org...

CVE-2022-3883

CVE-2022-3883 describes a vulnerability in the WordPress StopBadBots/Block Bad Bots plugin prior to v7.24 where an AJAX action lacks proper authorization and CSRF checks. This allows any authenticated user (e.g., a subscriber) to trigger the action and install/activate arbitrary plugins from word...

CVE-2022-3883 StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress....

PT-2022-24578 · WordPress · Wp Tools Increase Maximum Limits

Name of the Vulnerable Software and Affected Versions: WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin versions prior to 3.43 Description: The issue is related to improper authorization and CSRF in an AJAX...

Advanced Import < 1.3.8 - Arbitrary Plugin Installation & Activation via CSRF

The plugin does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from WordPress.org, and activate arbitrary ones from the blog via CSRF attacks PoC Make a logged in admin open a page containing the HTML cod...

Wordpress Zephyr Project Manager 3.2.42 Plugin - Multiple SQL injection Vulnerabilities

Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi Exploit Author: Rizacan Tufan Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated Software Link: https://wordpress.org/plugins/zephyr-project-manager/ Vendor Homepage:...

WordPress Photoswipe Masonry Gallery 1.2.14 Cross Site Scripting

On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to injec...

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes aka Access Keys vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to...

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes aka Access Keys vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to...

Design/Logic Flaw

Numerous Plugins and Themes from the AccessPress Themes aka Access Keys vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to...

Wordpress 404 to 301 2.0.2 Plugin - SQL Injection (Authenticated) Exploit

Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection Authenticated Exploit Author: Ron Jost Hacker5preme Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/ Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip Version: = 2.0.2 Tested on: Ubuntu 20.04 CV...

GHSA-RWGM-F83R-V3QJ Improper Certificate Validation in WP-CLI framework

Impact An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability...

Improper Certificate Validation in WP-CLI framework

Impact An improper error handling in HTTPS requests management in WP-CLI version 0.12.0 and later allows remote attackers able to intercept the communication to remotely disable the certificate verification on WP-CLI side, gaining full control over the communication content, including the ability...

WordPress HyperComments plugin <= 1.2.2 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability found by Lenon Leite in WordPress HyperComments plugin versions = 1.2.2. Solution 2020-12-09 - we were unable to find a patched version of this plugin. There's only note from wordpress.org available: "This plugin has been closed as of November...

WordPress Sell Photo plugin <= 1.0.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability found by Melbin K Mathew in WordPress Sell Photo plugin versions = 1.0.5. Solution 2021-01-06 - we were unable to find a patched version of this plugin. Notification from WordPress.org - "This plugin has been closed as of August 17, 2020...