Description"The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable. This allows creation of an arbitrary WordPress Administrator account,...
Websites are exposed to a lot of threats. Malware injections, plugin vulnerabilities, distributed denial of dervice (DDoS) attacks and brute force attacks, and many other scary possibilities exist. Without a Web Application Firewall (WAF) or other security measures,...
Whenever you implement a security measure, you should also have some sort of fallback. You do not want to be compromised by the failure of a single component. This is known as defense in depth.When you manage a WordPress website, one of the most important aspects of...
Description: Unauthenticated Administrator RegistrationAffected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected)Affected Versions:CVSS Score: 10.0 (Critical)CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPatched Version: 3.1.1Earlier this...
Today we are really excited because we have two announcements! We are releasing WP Security Audit Log 4.0.1, and the new activity logs add-on for WPForms. Find out more about activity logs for WPForms, and what else is new in today’s updates in this post....
WordPress Security and Maintenance Releases: 5.2.4, 5.3.1, and 5.3.2Pagely customers were spared issues from bugs introduced in the 5.3.0 release as, due to the proximity to the holidays, we didn’t upgrade our customers to 5.3 until early January. All Pagely customers...
I have some great security headers on this blog, but they are added using a single checkbox on the Sucuri WAF (web application firewall) this site uses. This is what they look like: x-xss-protection: 1; mode=block x-frame-options: SAMEORIGIN x-content-type-options:...
The iThemes Security Pro plugin already helps you lock down your WordPress website down to the user-level with the User Security Check and User Logging features. Today, we are excited to roll out the New User Groups feature gives you the power to enforce the right...
DescriptionImproper Access Controls issue in the cli_policy_generator AJAX call which could allow an authenticated user with low privileges (such as a subscriber) to: - Change the status of any post/page from published to draft, removing them from the frontend of the...
The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository. The Wordfence team released a firewall rule to our Premium customers...
WordPress 5.4 Beta 1 is now available for testing! This software is still in development, so we don’t recommend running it on a production site. Consider setting up a test site to play with the new version. You can test the WordPress 5.4 beta in two ways:...
Proof of Concept Form the original advisory (see references): POST /wp-admin/admin.php?page=participants-database HTTP/1.1 Host: *redacted....cause* User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept:...
DescriptionThe plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the Administrator role using the plugin's forms. The vulnerability only exists in the Plugin's own generated...
We take a look at the annual hacked site report from GoDaddy’s Sucuri Security and the types of malware they found in various CMS and shopping cart applications. Microsoft reports they’re finding 77k webshells daily, and WP Scan’s roundup lists a number of popular...
iThemes Security Pro lockouts are a way to harden your website against external attacks, including WordPress brute force attacks. In this guide, we’ll cover iThemes Security Pro lockouts and how to use them. Keep reading for tips to avoid the dreaded lockout screen...
Is your WordPress website acting funny? Did it suddenly slow down? Or maybe you’ve noticed unfamiliar pop-ups appearing on your pages?It’s likely that your website has been hacked!Slow websites and unfamiliar pop-ups are signs of a hacked website. You may also witness...
DescriptionMultiple Critical Vulnerabilities found in Ultimate Membership Pro could leads to Unauthenticated Remote Code Execution on default Installation, as well as PII disclosure. Edit (WPScanTeam): February 3rd, 2020 - Report Received & Envato Contacted...
Is your GoDaddy site sending out spam emails to your customers? Have you noticed that your website is slow for no reason? It’s most likely that your GoDaddy website is hacked.The repercussions of a hack are tremendous. Besides sending spam mails, hackers can cause a...
DescriptionLack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks. v1.0.8 fixed the reflected XSS, however no CSRF check on delete and delete_all_category...
iThemes Security Pro has a multitude of settings to help you secure your WordPress website. In this webinar, iThemes Associate Product Manager Michael Moore provides in-depth explanations of each security feature and a walkthrough of how to customize iThemes Security...
A DDoS attack is surprisingly easy to carry out and affects millions of websites worldwide every year, with the number of attacks rising. Suffering DDoS attacks may seem like an inevitable side effect of being online; the more successful your site, the more likely it...