Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

On October 23, 2020, our Wordfence colleagues responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October 23,…

Hosting Provider Exposed 63 Million Customer Records

Hosting Provider Exposed 63 Million Customer Records

A hosting provider exposed over 63 million customer records via an open elastic search database containing verbose logs with plain-text username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3 and the accidental 5.5.3-alpha autoupdate. We talk about object injection vulnerabilities like the one discovered in…

Object Injection Vulnerability in Welcart e-Commerce Plugin

Object Injection Vulnerability in Welcart e-Commerce Plugin

On October 6, 2020, our Wordfence colleagues discovered a High-Severity Object Injection vulnerability in Welcart e-Commerce, a WordPress plugin with over 20,000 installations that claims top market share in Japan. After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Full disclosure was sent on October 12, 2020, and…

Unpacking the WordPress 5.5.2/5.5.3 Security Release

Unpacking the WordPress 5.5.2/5.5.3 Security Release

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here….

Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities

Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on Friday, October 30. In preparation for this, a number of sites autoupdated to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2-Factor Authentication could have prevented this. We also look…

Emergency WP 5.5.3 Release

Emergency WP 5.5.3 Release

This entry was posted in WordPress Security on October 30, 2020 by Matt Barry   2 Replies The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress…

WordPress Security Updates: October 2020

WordPress Security Updates: October 2020

This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that process. List of Vulnerable Plugins During This Month Plugins Removed From the…

X
X