The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing ...Read More
The time for attackers to respond to known vulnerabilities is shrinking. See an example of an attacker using sample code.
The Akamai Security Intelligence Group (SIG) has been analyzing attack attempt activity following the announcement of a critical vulnerability in a WordPress custom fields plug-in affecting more than 2 million sites.
Exploiting this vulnerability could lead to a reflected cross-site scripting (XSS) attack, in which malicious code is injected into a victim site and pushed to its visitors.
On May 4, 2023, the WP Engine team announced the security fix in version 6.1.6, including sample exploit code as a proof of concept (PoC).
Starting on May 6, less than 48 hours after the announcement, the SIG observed significant attack attempt activity, scanning for vulnerable sites using the sample code provided in the technical write-up.
This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management.
This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2. Patchstack Developer and Business plan users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities […]
Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.
Paid Memberships Pro : CVE-2023-23488 - Unauthenticated SQL Injection
Easy Digital Downloads: CVE-2023-23489 - Unauthenticated SQL Injection
Survey Maker: CVE-2023-23490 - Authenticated SQL Injection
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 ( ZDI-22-020
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information. ...Read More