High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long…

Episode 121: Wordfence is Now a CVE Numbering Authority (CNA)

Episode 121: Wordfence is Now a CVE Numbering Authority (CNA)

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, Amazon, and many others. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a…

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and…

Episode 120: Jetpack Autoupdate Security Patch Bypasses Local Settings

Episode 120: Jetpack Autoupdate Security Patch Bypasses Local Settings

A security fix for an information leak vulnerability was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the United States has been attributed to REvil, a private Russian ransomware-as-​a-service operation. A critical zero-day vulnerability was discovered by the…

Critical 0-day in Fancy Product Designer Under Active Attack

Critical 0-day in Fancy Product Designer Under Active Attack

Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise. On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress…

Episode 119: Critical VMWare Vulnerability Threatens Data Centers

Episode 119: Critical VMWare Vulnerability Threatens Data Centers

A Critical Vulnerability in VMWare’s vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers. CodeCov claims another victim as Japanese e-Commerce unicorn Mercari reports a massive data breach. Domino’s India and Air India suffer from large-scale data…