A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform.

Security researchers accidentally leaked 0-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of Western Digital My Book Live devices.

Over 30 million Dell devices are at risk for remote BIOS attacks due to four separate security bugs, which can have far reaching effects for enterprise organizations heavily invested in Dell devices. VMware Carbon Black App Control has been updated this week to fix a critical-severity vulnerability that allows authentication bypass. Antivirus creator John McAffee dies in a Spanish jail, and a bug found by a security researcher in Atlassian’s authentication could have led to a supply chain...

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against...

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins & WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, & Amazon. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a RCE in Android phones. An informant and a messaging app led to huge global crime sting & Windows container malware targets Kubernetes clusters...

A security fix was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the US has been attributed to REvil, a private Russian ransomware operation. A critical 0-day was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out...

A Critical Vulnerability in VMWare's vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers.

Four memory corruption vulnerabilities are being actively exploited on Android devices & nearly 2 dozen popular Android apps exposed over 100M users’ sensitive information in cloud databases. Over 600K sites using WP Statistics required a patch to fix a blind SQL injection vulnerability. WP User Avatar undergoes a dramatic rebranding to ProfilePress, adding divergent functionality & causing a user revolt in reviews. More details emerge about the ransomware attack on Colonial Pipeline.

A ransomware attack on Colonial Pipeline affected fuel availability in 17 US states, and Bloomberg reported that the ransom was paid $5M to a Russian ransomware organization. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical vulnerability in PHPMailer, and a critical vulnerability was found in External Media plugin. Vulnerabilities were discovered in all WiFi devices & patch is available for a 0day in...

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to cause Composer to download the wrong source code, potentially affecting all WordPress sites. Packagist reports that it's not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities.

Apple patches a MacOS gatekeeper bypass vulnerability requiring an update to patch. Though this vulnerability requires some social engineering to exploit, it is believed to be actively exploited since Jan. 9. Some Digital Ocean customers were affected by a breach exposing personally identifiable information. A WordPress trac conversation considers blocking FLoC as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has another RCE bug.

Attacks on unpatched SolarWinds systems continue, and we're now learning of a supply chain attack that started in late January 2021 affecting 29K Codecov customers, as well as a 0day actively attacked affecting customers of PulseSecure VPN. Customers of these 3 services are well known enterprise & government organizations. Two add-on plugins experiencing active attacks: Kaswara Modern WPBakery Page Builder Addons & The Plus Addons for Elementor. Vulnerabilities are patched in...

An FBI initiative began remotely removing webshells from infected Microsoft Exchange servers. WordPress 5.7.1 was released with a few security patches. Over 15 Elementor addon plugins were found to have vulnerabilities affecting over 3.5M sites. Google Chrome was found to have two 0day vulnerabilities. The US & UK blame Russian hackers for the attack campaigns against SolarWinds. Organizations are still being urged to patch the 5 vulnerabilities being exploited in ongoing attacks.

A new Wix ad campaign targets WordPress but ends up being tone deaf in both content and strategy. New details emerge about the PHP compromise, but the full story remains unclear. Facebook user data from 2019 ends up on the dark web, and Have I Been Pwned adds a phone number check to help users determine if they’ve been affected. GitHub Actions are being used by cryptojackers, Gigaset Android phones have been infected with malware in a supply chain attack, and new phishing methods emerge using...

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices.

Attackers continue to exploit recently patched vulnerabilities in Thrive Themes, though not all of them are successful. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach, and Slack’s new “Slack Connect” feature has some security concerns.

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting 7M+ WP sites and how easily these XSS vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there's yet another Chrome use-after-free zero-day vulnerability being actively...

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features. 

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

WordPress 5.7 is due to be released on Mar. 9, and it allows admins to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for C2, while VMWare fixes a critical RCE in all default vCenter installs. We talk about the ramifications of vulnerability disclosures and how last year's File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price of...

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

This week, the Wordfence team discusses cryptography in-depth, including the basics, a brief history, hashing, and the Crypto Wars. We also go over current news, including 2 new findings by the Wordfence Threat Intelligence team, a new milestone for WordPress, and a recent attack on a Florida Town's water supply.

Wordfence opens the K-12 site audit & site cleaning service for public schools worldwide. Machine learning is now a big part of our malware identification process, which will speed new malware signatures to deployment. A bug in Sudo can let attackers with access to a local system to elevate their access to a root-level account, which has implications for WordPress sites, Mac users, and more. WordPress 5.7, the next major release, will make it much easier for users to migrate their sites...

After a disruptive year in 2020, there are new challenges in 2021, but also immense opportunities in numerous fields. In a deep and wide-ranging conversation, Mark Maunder and Kathy Zant discuss artificial intelligence, whether or not we're living in simulation, cryptocurrencies and the opportunities of blockchain technology, open source communities and publishing, avoiding scams and FOMO, as well as what fields are most promising for the next 10 years.