Security

WordPress 5.6 Simone introduces a new risk to sites

WordPress 5.6 Simone introduces a new risk to sites

Tips, Security
WordPress 5.6 Simone is the latest WordPress version release. The plugin is named after the legendary performer Nina Simone, who is known for tunes like “Feeling Good”, “Young, Gifted and Black”, and “Four Women”. Fire up a playlist with her best work and read on to discover what we have in store for you. What's new with WordPress 5.6 Simone? Here is what is coming up with this great WordPress update. REST API authentication with Application Passwords This is by far the biggest and riskiest improvement. WordPress 5.6 will now allow external applications or third-party apps to request permission seamlessly to connect to your website and generate a password specific to that application. This update means that once the application is granted access, it can perform certain specific actions
Three critical vulnerabilities found in Ultimate member plugin

Three critical vulnerabilities found in Ultimate member plugin

Security, Plugins
Three critical privilege escalation vulnerabilities have been discovered in the Ultimate Member plugin that exposed over 100,000 websites to hacking risk. These loopholes made it possible for attackers to breach and escalate their privileges to those of an administrator and leading to a forced take over a WordPress site. Ultimate Member is a widely used WordPress plugin that enhances user registration and account control on WordPress websites. This plugin also enables site owners to create custom roles and manage the privileges of site members. The plugin thus automatically creates three forms: user registration, user login, and user profile management as part of its functionality. How the vulnerabilities in Ultimate member plugin risked your website This flaw which was detected by th...
Identical high severity vulnerabilities could allow malicious script uploads in Post Grid and Team Showcase Plugins

Identical high severity vulnerabilities could allow malicious script uploads in Post Grid and Team Showcase Plugins

Security
The WordFence Threat Intelligence team has discovered two almost identical high severity vulnerabilities two WordPress plugins namely Post Grid, a WordPress plugin with over 60,000 installations, and Team Showcase, a separate plugin by the same author with over 6,000 installations. The patches for both plugins have been availed already while Wordfence Premium users received a firewall rule protecting both plugins from both vulnerabilities on September 16, 2020. Sites still running the free version of Wordfence will receive this rule after 30 days, on October 16, 2020. It is very important to always make sure you are updating your plugins and WordPress version from time to time to ensure that you are safe from any vulnerabilities. You will also be able to get patches as soon as they a...
Quiz and Survey Master Plugin 2 Critical Vulnerabilities Patched

Quiz and Survey Master Plugin 2 Critical Vulnerabilities Patched

Security, Plugins
The WordFence Threat Intelligence team detected two vulnerabilities in Quiz and Survey Master (QSM), a WordPress plugin that is installed on over 30,000 sites. These flaws made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution, as well as delete arbitrary files like a site’s wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site. How Quiz and Survey Master is used in WordPress The Quiz and Survey Master is used in WordPress to add quizzes and surveys to sites. One of its features allows site owners to implement file uploads as a response type for a quiz or survey, which could be useful in a number of scenarios, such as a job application questionnaire with a PDF resume upl
Flaw on the Official Facebook Chat Plugin enabled Social Engineering Attacks

Flaw on the Official Facebook Chat Plugin enabled Social Engineering Attacks

Security, Plugins
A flaw in The Official Facebook Chat Plugin made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. This WordPress plugin is currently installed on over 80,000 sites. What is the Facebook Chat plugin The Official WordPress Facebook Chat plugin is a very simple plugin that is used to add a “Facebook Messenger” chat pop-up to any WordPress site and connect a site owner’s chosen Facebook page to receive messages and interact with site visitors. This vulnerability could be exploited and easily go undetected by a site owner, causing site visitors to interact with an attacker instead of the site owner. Exploit attempts targeting this vulnerabilit
Divi, Extra, and Divi Builder Plugin Critical Vulnerability Exposes over 700,000 Sites

Divi, Extra, and Divi Builder Plugin Critical Vulnerability Exposes over 700,000 Sites

Security, Plugins, Themes
The WordFence Threat Intelligence team has discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. They have now been patched and the flaw has been fixed. Elegant Themes is the creator behind one of the most popular premium themes, Divi. One of the features of the Divi theme is that it comes with the Divi Page Builder that makes the site design and editing process easy and customizable. In addition to the Divi theme, Elegant Themes offe
wpDiscuz Plugin Fixes Critical Arbitrary File Upload Vulnerability

wpDiscuz Plugin Fixes Critical Arbitrary File Upload Vulnerability

Plugins, Security
wpDiscuz version 7 is a revolutionary perspective on the commenting world! This plugin is designed to change your website commenting experience and provides you with new user engagement features. On June 19th, the WordFence Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin that is installed on over 80,000 sites. This flaw allowed unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. This vulnerability was introduced in the plugin’s latest major version update which is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you are running any version from 7.0.0 to 7.0.4 of this plu
All in One SEO Pack plugin Vulnerability Affects 2 Million Users

All in One SEO Pack plugin Vulnerability Affects 2 Million Users

Plugins, Security
The WordFence Threat Intelligence team has discovered a vulnerability in the All In One SEO Pack WordPress plugin that is currently installed on over 2 million sites. All In One SEO Pack is a plugin that provides several search engine optimization (SEO) enhancing features to help rank a WordPress site’s content higher on search engines. As part of its functionality, it allows users that have the ability to create or edit posts to set an SEO title and SEO description directly from a post as it is being edited. This makes it easier for post creators to improve the SEO of posts as they are writing them. This feature is available to all users that can create posts, such as contributors, authors, and editors. Unfortunately, the SEO metadata for posts, including the SEO title and SEO descr
Critical Vulnerabilities in Adning Advertising Plugin Patched, over 8,000 customers affected

Critical Vulnerabilities in Adning Advertising Plugin Patched, over 8,000 customers affected

Security, Plugins
The WordFence Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers developed by plugin’s author, Tunafish. They discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover. How the vulnerabilities were engaged Description: Unauthenticated Arbitrary File Upload leading to Remote Code Execution Affected Plugin: Adning Advertising Plugin Slug: angwp Affected Versions: < 1.5.6 CVE ID: N/A CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS score: 10.0(critical) Patched Version: 1.5.6 One functionality of the Adning plugi
How SSL Certificate Expirations Affect your Website

How SSL Certificate Expirations Affect your Website

Security
Secure Sockets Layer (SSL) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser, or a mail server and a mail client (e.g., Outlook). The encryption-based Internet security protocol first developed by Netscape in 1995  to ensure privacy, authentication, and data integrity in Internet communications. SSL is now the deprecated predecessor to the modern TLS encryption used today. Usually, when you install an SSL certificate, you get the green lock icon on the browser, it is like the badge of trust. Therefore, by installing an SSL certificate on your website’s server, it allows you to host it over HTTPS and create secure, encrypted connections between your site and its visitors. This safeguards co