Transcript [00:00:00] Nathan Wrigley: Welcome to the jukebox podcast from WP Tavern. My name is Nathan Wrigley. Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case how your session cookies are being used to attack WordPress websites. If you’d… Continue reading #110 – Thomas J. Raef on the Shift in How Hackers Attack, and How to Protect Your Site
Category: security
Wordfence CLI 2.0.1 Update Adds Free Vulnerability Scanning
Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale. Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security… Continue reading Wordfence CLI 2.0.1 Update Adds Free Vulnerability Scanning
Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to WordPress.org Plugins Team
After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team. “This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list… Continue reading Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to WordPress.org Plugins Team
Business Roundup Week Ending August 18
Zoom AI Privacy Controversy Zoom’s Terms grant them access to your video, audio, and chat transcripts to train their AI tools, but their latest update promises not to use them without your permission. Zoom’s previous privacy issues raise the concerns of some watchdog groups about the trustworthiness of the new policy. Read the facts: https://gizmodo.com/zoom-ai-privacy-policy-train-on-your-data-1850712655 … Continue reading Business Roundup Week Ending August 18
Business Roundup Week Ending August 11
AI: The Next Chapter Online Event September 14 This second installment of Human Made’s AI Event series will highlight the latest in WordPress AI and explore the broader changes created in the rapid advancement of AI. Speaker applications and attendee registration are now open for this free event. How can you better leverage AI in… Continue reading Business Roundup Week Ending August 11
Ninja Forms Version 3.6.26 Patches Multiple High Severity Security Vulnerabilities
If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following: a POST-based reflected XSS (7.6 CVSS 3.1 score) a broken access control on form submissions… Continue reading Ninja Forms Version 3.6.26 Patches Multiple High Severity Security Vulnerabilities
All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0
All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0. In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days… Continue reading All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0
MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials
Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites. “MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said. “Requests are authentication by comparing a shared secret stored… Continue reading MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials
Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability
Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild. Working through the complexities of this security… Continue reading Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability
Hackers Actively Exploiting Unpatched Privilege Escalation Vulnerability in Ultimate Member Plugin
WPScan is reporting a hacking campaign actively exploiting an unpatched vulnerability in the Ultimate Member plugin, which allows unauthenticated attackers to create new user accounts with administrative privileges and take over the site. The vulnerability has been assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8 (Critical). Automattic’s WP.cloud and Pressable.com hosting platforms picked… Continue reading Hackers Actively Exploiting Unpatched Privilege Escalation Vulnerability in Ultimate Member Plugin