Wordpress

Pierluigi Paganini January 17, 2021
Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover. Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs. The Orbit Fox plugin […]

Pierluigi Paganini December 17, 2020
5 million WordPress sites potentially impacted by a Contact Form 7 flaw

The development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability. Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 WordPress vulnerability. The WordPress plugin allows users to add multiple contact forms on their site.  “By exploiting this vulnerability, attackers could simply upload files of […]

Pierluigi Paganini November 18, 2020
Large-scale campaign targets vulnerable Epsilon Framework WordPress themes

Hackers are scanning the Internet for WordPress websites with Epsilon Framework themes installed to launch Function Injection attacks. Experts at the Wordfence Threat Intelligence team uncovered a large-scale wave of attacks targeting reported Function Injection vulnerabilities in themes using the Epsilon Framework. Below a list of themes and related versions that are vulnerable to the above […]

Pierluigi Paganini November 10, 2020
Flaws in WordPress Ultimate Member plugin expose 25K sites to hack

Multiple critical vulnerabilities affecting the Ultimate Member plugin could be easily exploited to potentially takeover up to 25K websites. Multiple critical vulnerabilities in the Ultimate Member plugin could be easily exploited to take over websites, the issue potentially impact up to 100K installs. The Ultimate Member WordPress plugin allows admins to easily manage membership to […]

Pierluigi Paganini October 07, 2020
Using a WordPress flaw to leverage Zerologon vulnerability and attack companies’ Domain Controllers

Using a WordPress flaw (File-Manager plugin–CVE-2020-25213) to leverage Zerologon (CVE-2020-1472) and attack companies’ Domain Controllers. Recently, a critical vulnerability called Zerologon – CVE-2020-1472 – has become a trending subject around the globe. This vulnerability would allow a malicious agent with a foothold on your internal network to essentially become Domain Admin with just one click. This scenario […]

Pierluigi Paganini September 21, 2020
Discount Rules for WooCommerce WordPress plugin gets patch once again

It has happened again, users of the Discount Rules for WooCommerce WordPress plugin have to install a third patch to fix 2 high-severity XSS flaws. Developers of the Discount Rules for WooCommerce WordPress plugin have revealed for the third time a security patch to address two high-severity cross-site scripting (XSS) flaws that could be exploited […]

Pierluigi Paganini September 11, 2020
Threat actors target WordPress sites using vulnerable File Manager install

Experts reported threat actors are increasingly targeting a recently addressed vulnerability in the WordPress plugin File Manager. Researchers from WordPress security company Defiant observed a surge in the number of attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager. In early September, experts reported that hackers were actively exploiting a critical remote […]

Pierluigi Paganini September 02, 2020
Hackers are actively exploiting critical RCE in WordPress sites using File Manager plugin

Hackers actively exploiting a critical remote code execution vulnerability in the File Manager plugin, over 300,000 WordPress sites potentially exposed. Hackers are actively exploiting a critical remote code execution vulnerability in the File Manager WordPress plugin that could be exploited by unauthenticated attackers to upload scripts and execute arbitrary code on WordPress sites running vulnerable versions of the plugin. […]

Pierluigi Paganini August 22, 2020
Thousands of WordPress WooCommerce stores potentially exposed to hack

Hackers are attempting to exploit multiple vulnerabilities in the Discount Rules for WooCommerce WordPress plugin, which has 30,000+ installations. Researchers from security firm WebArx reported that Hackers are actively attempting to exploit numerous flaws in the Discount Rules for WooCommerce WordPress plugin. The list of vulnerabilities includes SQL injection, authorization flaws, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities. Discount […]

Pierluigi Paganini August 02, 2020
A critical flaw in wpDiscuz WordPress plugin lets hackers take over hosting account

A critical flaw in the wpDiscuz WordPress plugin could be exploited by remote attackers to execute arbitrary code and take over the hosting account. Security experts from Wordfence discovered a critical vulnerability impacting the wpDiscuz WordPress plugin that is installed on over 80,000 sites. The vulnerability could be exploited by attackers to execute arbitrary code […]