Security News
Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware. Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.
WP Statistics, a plugin installed on more than 600,000 WordPress websites, has an SQL-injection security vulnerability that could let site visitors make off with all kinds of sensitive information from web databases, including emails, credit-card data, passwords and more. WP Statistics, as its name suggests, is a plugin that delivers analytics for site owners, including how many people visit the site, where they're coming from, what browsers and search engines they use, and which pages, categories and tags have the most visits.
LoginID announced the launch of its WordPress plugin. The plugin is free to install, and enables websites powered by WordPress to install strong passwordless authentication in five clicks.
An SQL-injection vulnerability discovered in a WordPress plugin called "Spam protection, AntiSpam, FireWall by CleanTalk" could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker. Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards.
More than 580 WordPress vulnerabilities were disclosed in 2020, but a vast majority of them impact third-party plugins and themes rather than the WordPress core, according to a new report from website security company Patchstack. The report is based on data from Patchstack's WordPress vulnerability database, which includes information collected by the company's internal research team and its bug bounty community, by third-party cybersecurity vendors, and by independent security researchers.
A proposal by a WordPress core contributor to treat Google's FLoC ad tech as a security vulnerability, and therefore backport an automatic opt-out to previous WordPress versions, shows the depth of community opposition to the technology. Now a WordPress Core contributor has proposed treating "FLoC as a security concern."
WordPress has released version 5.7.1 of its popular content management system, which brings more than 25 bug fixes, including patches for two security vulnerabilities. One of the patched security flaws is an XML External Entity vulnerability in the ID3 library in PHP 8, which is used by WordPress.
WordPress announced today that they are treating Google's new FLoC tracking technology as a security concern and may block it by default on WordPress sites. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.
WordPress announced today that they are treating Google's new FLoC tracking technology as a security concern and may block it by default on WordPress sites. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one.
Exploit acquisition company Zerodium announced last week that it's temporarily offering $300,000 for high-impact WordPress exploits. The company typically offers $100,000 for WordPress RCE exploits, the same amount as for Webmin, Plesk, and cPanel/WHM exploits.