TL;DR A critical security bug in Ninja Forms (1+ million installations) was patched by the plugin’s developers this week. The security bug posed a high risk, as it could result in unauthenticated object injection. Successful attacks could create arbitrary Classes within WordPress (and execute a function or method defined within). The WordPress.org plugins team took […]
A critical vulnerability was fixed in the WordPress plugin Elementor. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies. Note: we are still gathering more information on this vulnerability, such as the requirements to exploit this vulnerability […]
The plugin Responsive Menu – Create Mobile-Friendly Menu (versions 4.1.7 and below), which has over 100.000 active installations, suffers from a critical vulnerability. This vulnerability allows any authenticated user, regardless of their authorization, to execute nearly all of the actions that only administrators are supposed to be able to execute. Do you want to be […]
A critical vulnerability was fixed in the WordPress plugin Essential Addons for Elementor. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies. Update February 1st, 2022: we would like to make clear that we did not originally […]
The decision to publicly report a vulnerability that has no patch does not come easily, however, in certain circumstances it is the only option available to protect users from running insecure code. You may have guessed where I am going with this if you have been reading or listening to the Patchstack Security Weekly updates […]
On the 6th of January 2022, WordPress.org released a security update and recommended users to “update your sites immediately”. This WordPress core 5.8.3 security update addresses 4 different security vulnerabilities which affect WordPress core versions between 3.7 and 5.8. For many, WordPress automatically updates the core to the latest version. Check if your WordPress version […]
Recently, an extremely critical remote code execution vulnerability was made public for the Apache Log4j logging library. If an organization or software made use of Apache Log4j logging library and the vulnerable version was running, it made it possible for malicious people to remotely execute commands which in many cases required no pre-requisites. A comprehensive […]
The WP-VCD malware for WordPress has existed for many years. It mainly spreads by injecting itself into legitimate plugins and themes after which it will spread itself on sites that offer downloads to (nulled) WordPress plugins and themes. We noticed that during the corona-virus pandemic, the WP-VCD malware has also started injecting itself into plugins that can […]
There were multiple security vulnerabilities fixed in the Hide My WP plugin by wpWave which allowed unauthenticated SQL injection and allowed unauthenticated users to retrieve a token to deactivate the plugin. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed […]
There was a critical security vulnerability in the WP Reset PRO plugin which allowed any authenticated user to wipe the database. Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack. For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies. The PRO version of the WP Reset […]