On the podcast today we have Akshat Choudhary. Akshat is the Founder and CEO of BlogVault, MalCare, WP Remote and Airlift. These WordPress plugins allow their customers to build, manage and maintain their WordPress websites. He’s based in Bangalore, India and we begin the podcast talking about the state of the WordPress community there. We…
Late last week, Ninja Forms users received a forced security update from WordPress.org for a critical PHP Object Injection vulnerability. This particular vulnerability can be exploited remotely without any authentication. It was publicly disclosed last week and patched in the latest version, 3.6.11. Patches were also backported to versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, and…
On the podcast today we have Oliver Sild from Patchstack. Patchstack is a product which is designed to help you identify plugin vulnerabilities in your WordPress sites. We talk about how, over the past couple of years, Patchstack has released an annual report concerning the state of WordPress security. What are the broad security trends…
Patchstack has published its State of WordPress Security whitepaper with a summary of threats to the WordPress ecosystem recorded in 2021. The whitepaper aggregates data from multiple sources, including the Patchstack Vulnerability Database, the Patchstack Alliance (the company’s bug bounty platform), and publicy reported CVEs from other sources. In 2021, Patchstack recorded nearly 1,500 vulnerabilities,…
UpdraftPlus, a plugin that allows users to backup to various cloud providers, has patched a severe security vulnerability that would allow logged-in users to download a site’s latest backups. The patched version (1.22.3) was sent out via a forced auto-update, a measure reserved for severe vulnerabilities that affect a large number of users. UpdraftPlus is active…
Essential Addons for Elementor, a popular plugin with more than a million active installs, has patched a critical vulnerability that would allow for a local file inclusion attack. The vulnerability was discovered by security researcher Wai Yan Myo Thet and reported to Patchstack on January 25, 2022. Patchstack customers received a virtual patch the same…
The All In One SEO plugin has patched a set of severe vulnerabilities that were discovered by the Jetpack Scan team two weeks ago. Version 4.1.5.3, released December 8, includes fixes for a SQL Injection vulnerability and a Privilege Escalation bug. Marc Montpas, the researcher who discovered the vulnerabilities, explained how they could be exploited:…
In a disclosure to the U.S. Securities and Exchange Commission (SEC) that was published today, GoDaddy announced a data security breach impacting its WordPress managed hosting customers. The company discovered unauthorized third-party access to its hosting environment on November 17, 2021, through an exploited vulnerability. GoDaddy’s initial investigations show the attacker gained access using a…
In September, Patchstack released its six-month report on the vulnerabilities found with WordPress and its extensions. At the time, it listed over 1,000 issues — the company has shared the updated numbers with WP Tavern. It soon followed that up with a free vulnerability-reporting plugin. Under the banner of WebARX, the company launched the first…
In late September, Chloe Chamberland, a researcher at Wordfence, discovered multiple security vulnerabilities in the OptinMonster plugin, which could allow unauthenticated attackers to export sensitive information and inject malicious JavaScript into vulnerable sites. The OptinMonster team promptly patched the plugin and updated the plugin again after more feedback from the Wordfence team. Version 2.6.5 was…
The Jetpack Scan team has published a summary of two issues recently discovered in the WP Fastest Cache plugin – an Authenticated SQL Injection vulnerability and a Stored XSS Via CSRF vulnerability. “If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords),” Automattic…
WooCommerce shipped version 5.7.0 through a forced update for some users earlier this week. The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting configurations: On September 21, 2021, our team released a…
Wordfence has published two vulnerabilities that affect users of the Redux Framework plugin, which has more recently come to be know as the “Gutenberg Template Library & Redux Framework” on WordPress.org. Extendify purchased the plugin from its creator, Dōvy Paukstys, in November 2020, in a deal that was not highly publicized. It is currently active…
WPScan is on track to post a record-breaking year for WordPress plugin vulnerabilities submitted to its database, according to a collaborative mid-year security report the company published with Wordfence. In the first half of 2021, WPScan has recorded 602 new vulnerabilities, quickly surpassing the 514 reported during all of 2020. The report is based on…
WooCommerce has patched an unspecified, critical vulnerability identified on July 13, 2021, by a security researcher through Automattic’s HackerOne security program. The vulnerability impacts versions 3.3 to 5.5 of the WooCommerce plugin, as well as version 2.5 to 5.5 of the WooCommerce Blocks feature plugin. “Upon learning about the issue, our team immediately conducted a…