On the podcast today we have Robert Jacobi and he’s here to talk about his tech journey, and his role at Black Wall, formerly BotGuard. We talk about the OSI model, explaining how computer networks communicate through seven layers, from application to physical. Robert shares insights into Black Wall’s focus on preventing bot attacks at…
Awesome Motive’s WP Forms plugin has patched a Missing Authorization to Payment Refund and Subscription Cancellation vulnerability. This issue allowed authenticated attackers with Subscriber-level access or higher to refund Stripe payments and cancel subscriptions without proper authorization. Wordfence reports that “The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a…
On the podcast today we have Miriam Schwab from Elementor and Oliver Sild from Patchstack. They delve into their partnership focusing on monitoring and quickly addressing WordPress vulnerabilities through a prioritisation system, virtual patches, and a managed vulnerability disclosure program. The conversation highlights the importance of collaboration within the WordPress community to improve security. Elementor’s…
Jetpack 13.9.1, a critical security update, was released yesterday to fix a vulnerability in the Contact Form feature that had been present since 2016. This flaw allowed logged-in users of a site to access forms submitted by visitors. The vulnerability was discovered during an internal security audit, prompting the Jetpack team to collaborate with the…
GiveWP, a popular donation plugin for WordPress, has patched an unauthenticated PHP Object Injection to Remote Code Execution vulnerability that could be exploited to execute arbitrary code remotely and delete files. This plugin from the Liquid Web family of products has 100k+ active installs. villu164 (Villu Orav) reported the vulnerability through the Wordfence Bug Bounty…
Wordfence has introduced an exciting new initiative, the WordPress Superhero Challenge, as part of its ongoing Bug Bounty Program. Running until October 14th, this challenge exclusively targets plugins and themes with over 5 million active installations, a category that demands a high level of expertise due to the extensive testing these products undergo before reaching…
On the podcast today we have Thomas J. Raef. Thomas is the founder of We Watch Your Website, a company that has been removing malware from websites since 2007. During that time he’s seen many changes in the methods hackers use to take over a website, and that’s the focus of the podcast today. With…
Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale. Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security…
After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team. “This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list…
If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following: Patchstack researchers discovered the vulnerabilities on June 22, 2023, and Ninja Forms patched them on…
All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0. In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days…
Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites. “MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said. “Requests are authentication by comparing a shared secret stored…
Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild. Working through the complexities of this security…
WPScan is reporting a hacking campaign actively exploiting an unpatched vulnerability in the Ultimate Member plugin, which allows unauthenticated attackers to create new user accounts with administrative privileges and take over the site. The vulnerability has been assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8 (Critical). Automattic’s WP.cloud and Pressable.com hosting platforms picked…
Really Simple SSL, a popular plugin used on more than five million sites for installing SSL certificates, handling website migrations, mixed content, redirects, and security headers, has added a new feature in its most recent major update. Version 7.0.0 introduces vulnerability detection as part of a partnership with WP Vulnerability, an open source, free API…