#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

Wordfence | Breaking Cybersecurity News | The Hacker News

Category — Wordfence
WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

Mar 18, 2024 Website Security / Vulnerability
WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw. The flaw, tracked as  CVE-2024-2172 , is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan . It impacts the following versions of the two plugins - Malware Scanner  (versions <= 4.7.2) Web Application Firewall  (versions <= 2.1.1) It's worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations. "This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence  reported  last week.  The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unau
WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

Feb 27, 2024 Vulnerability / Website Security
A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as  CVE-2023-40000 , the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack researcher Rafie Muhammad  said . LiteSpeed Cache , which is used to improve site performance, has more than five million installations. The latest version of the plugin is 6.1, which was released on February 5, 2024. The WordPress security company said CVE-2023-40000 is the result of a lack of user input sanitization and  escaping output . The vulnerability is rooted in a function named update_cdn_status() and can be reproduced in a default
cyber security

Online Master's in Applied Intelligence

websiteGeorgetown UniversityCyber Security
More than 90% of respondents expressed concern over their team and tooling's ability to detect identity-based attacks. Learn about critical gaps in security programs and what environments pose the most risk to security teams. Download the Report.
WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

Feb 27, 2024 Website Security / Cryptojacking
A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.
cyber security

Permiso Security's 2024 State of Identity Security Report

websitePermisoThreat Detection / Identity Security
More than 90% of respondents expressed concern over their team and tooling's ability to detect identity-based attacks. Learn about critical gaps in security programs and what environments pose the most risk to security teams. Download the Report.
Researchers Uncover Malware Posing as WordPress Caching Plugin

Researchers Uncover Malware Posing as WordPress Caching Plugin

Oct 12, 2023 Website Security / WordPress
Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades as a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence  said . The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer req
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Jun 29, 2023 Website Security / Vulnerability
A critical security flaw has been disclosed in miniOrange's  Social Login and Register plugin  for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023. "The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton  said . The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properl
Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

Oct 21, 2022
WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as  CVE-2022-42889  aka Text4Shell , has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library. It's also similar to the now infamous  Log4Shell  vulnerability in that the  issue  is rooted in the manner  string substitutions  carried out during  DNS, script, and URL lookups  could lead to the execution of arbitrary code on susceptible systems when passing untrusted input. "The attacker can send a crafted payload remotely using 'script,' 'dns,' and 'url' lookups to achieve arbitrary remote code execution," the Zscaler ThreatLabZ team explained . A  successful exploitation of the flaw  can enable a threat actor to open a reverse shell connection with the vulnerable
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts

Sep 09, 2022
A zero-day flaw in a WordPress plugin called  BackupBuddy  is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it  said . BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others. The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 8.5.8.0 to 8.7.4.1. It's been addressed in version 8.7.5 released on September 2, 2022. The issue is rooted in the function called "Local Directory Copy" that's designed to store a local copy of the backups. According to Wordfence, the vulnerability is the result of an insecure implementation, which enables an unauthenticated threat acto
Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability

Experts Notice Sudden Surge in Exploitation of WordPress Page Builder Plugin Vulnerability

Jul 18, 2022
Researchers from Wordfence have  sounded  the alarm about a "sudden" spike in cyber attacks attempting to exploit an unpatched flaw in a WordPress plugin called  Kaswara Modern WPBakery Page Builder Addons . Tracked as  CVE-2021-24284 , the issue is rated 10.0 on the CVSS vulnerability scoring system and relates to an unauthenticated arbitrary file upload that could be abused to gain code execution, permitting attackers to seize control of affected WordPress sites. Although the bug was originally  disclosed  in April 2021 by the WordPress security company, it continues to remain unresolved to date. To make matters worse, the plugin has been closed and is no longer actively maintained. Wordfence, which is protecting over 1,000 websites that have the plugin installed, said it has blocked an average of 443,868 attack attempts per day since the start of the month. The attacks have emanated from 10,215 IP addresses, with a majority of the exploitation attempts narrowed down
Cybersecurity
Expert Insights / Articles Videos
Cybersecurity Resources