Swift Insights
Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups
Update: a previous version of this article indicated that an attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup. Since the article was originally published, we have found that...
Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin
On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress...
Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute...
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any...
Announcing Wordfence Care and Wordfence Response
Today I’m incredibly excited to announce that we are launching two new products: Wordfence Care and Wordfence Response. Let’s start with a fun animation that explains our new product suite! In the post below, I’ll describe in detail the two incredible new products we...
Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin
On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites. This flaw made...
84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability
On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same...
The Best Anti Form Spam Plugin We’ve Come Across
CleanTalk is the best anti form spam plugin we've come across. In the last year or two we've come across a service/plugin called CleanTalk, and have found it to be one of the best at blocking form spam. I don't know how they do it, but their plugin blocks out an...
WordPress 5.8.3 Security Release
On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for...
1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs
Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active...