If you are using the WP Maintenance Plugin on your site, there was posted a High Severity Vulnerability on November 19th from the WordFence Security Team. It is neccessary to update your plugin immediately.
On November 15th, 2019, our Threat Intelligence team identified a vulnerability present in WP Maintenance, a WordPress plugin with approximately 30,000+ active installs. This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. We disclosed this issue privately to the plugin’s developer who released a patch the next day.
Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update to version 5.0.6 immediately.
You can read the full announcement from Wordfence on: High Severity Vulnerability Patched in WP Maintenance Plugin
The Wordfence3 Intelligence team recently identified an open redirect vulnerability in Bridge, a commercial WordPress theme purchased more than 120,000 times. We disclosed this issue to Qode Interactive, the theme’s developers, who have since released a patch for the affected components.
The initial discovery was related to one of the theme’s prepackaged helper plugins, Qode Instagram Widget. After discovery, Qode’s team patched a similar open redirect flaw in another prepackaged plugin, Qode Twitter Feed. Both of these plugins should be updated to their latest version, which is 2.0.2 in both cases at the time of this writing. These updates will be accessible from within the Bridge theme’s recommended plugin manager once the theme has been updated to 18.2.1.
We have released new firewall rules which protects Wordfence users’ sites from abuse of these open redirects. Wordfence Premium users already have access to these rules, and users still on the free version will have access in thirty days.
In today’s post, we’ll take a look at the vulnerabilities that were patched, and we’ll briefly discuss the risk that an open redirect vulnerability presents. Update workflows can vary for commercial themes and plugins such as these, so we’ll additionally be providing a short guide to help Bridge users ensure they’re up to date.
What Is An Open Redirect?
An open redirect vulnerability exists when a web application can be made to redirect a visitor to an arbitrary location based on user input. This can be used to create innocent-looking web links to legitimate domains, which then redirect the victim to a dangerous location. This is commonly used in phishing scams, since a link to a trustworthy site is much more likely to be clicked than a typical phishing domain.
How Do I Patch?
Commercial WordPress themes and plugins often have update workflows that differ from those native to the WordPress.org repository. In the case of the Bridge theme and its associated plugins, it seems many users aren’t getting the updates they need. According to our data, 38% of active Qode Instagram Widget installations haven’t been updated in more than two years, and that number jumps to 68% for Qode Twitter Feed users.
Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard.
It is important that you update and patch this theme if you are using it.
See the full blog post and how to patch the Open Redirect Vulnerability Patched In Bridge Theme
As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure.
The goal of most hackers is to infect your website with malware. Common malware threats include:
- Pharma Hacks – Injects spam into your website database or files
- Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
- Drive by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
- File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
- Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
- Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information
When most people think about a website being hacked, they think about the hacker defacing the website and placing a message to visitors e.g. Your Website has Been Hacked by ABCXYZ!.
In comparison to malware infections, website defacements are rare.
In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is remove the malicious files in question.
Hackers who infect your website with malware are more discrete. The longer you are unaware of your website being infected, the longer they can use your website to send spam emails and infect your visitors. Even a secure WordPress website can be hacked without the owner knowing. It is therefore important that you scan your website regularly to detect any hidden malware.
In this article, I would like to show you services and plugin solutions that will help you detect malicious malware on your WordPress website.
See the options of keeping your WordPress site secured and How To Scan Your WordPress Website For Hidden Malware by recommendations of WordPress Security