Last month a vulnerability was discovered in the Fancybox for WordPress plugin, making it possible for a hacker to inject an iframe into the website without needing administrator access. Although t...
Four hours ago, users seeking support on WordPress.org reported malware injected into their sites from an unknown source. The vulnerability allows for an iframe to be injected, redirecting to a '20...
Last week a blind SQL injection vulnerability was discovered in Yoast's popular WordPress SEO plugin. Given the severity of the vulnerability and the fact that the plugin is installed on more than ...
A blind SQL injection vulnerability was discovered today in the popular WordPress SEO plugin by Yoast. WPScanVulnerability Database issued an advisory after responsibly disclosing the vulnerability...
Yesterday Matt Barry, one of our researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and older during a code audit of the plugin repository. WooCommerce is installed on over 1 million active WordPress websites. We immediately contacted Woo about the issue and they’ve been incredibly responsive, releasing a fix this morning with their …
Update 2 on Feb 24th: A new version of this plugin has been released. We’ve run a penetration test on the plugin and the ‘vid’ parameter is no longer exploitable. We tested several other parameters and it appears at this point that the original security issue has been resolved. Update @9:45PM PST: About an hour before …
This Pirate Bay clone is actively pushing the Nuclear exploit kit with an iframe and will infect vulnerable visitors via drive-by download attacks. We've also detected several WordPress sites injected with the same iframe.
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are
Klikki Oy is reporting a new comment XSS exploit vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an unauthenticated attacker to inject JavaScript into comments. If triggered b...
A coordinated plugin update occurred this morning between many popular WordPress plugins to address a common security vulnerability that allows for XSS cross-site scripting attacks.
Many popular WordPress plugins are vulnerable to Cross-site Scripting, from the misuse of the add_query_arg() and remove_query_arg() due to poor documentation.
Jetpack and the Twenty Fifteen default theme have been updated after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered. According to Sucuri, any plugin or theme that uses Generico...
