Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. They estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable.

Patches were released on March 12, 2021 for the vulnerable themes and plugins. WordFence is seeing these vulnerabilities being actively exploited in the wild, and they urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities.

Full article at:

Update from March 26:

Active Exploitation Continues on Unpatched Thrive Themes


Two Vulnerabilities Patched in Facebook for WordPress Plugin

The WordFence Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.

In addition, on January 27, 2021, WordFence disclosed a separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0. This flaw made it possible for attackers to inject malicious JavaScript into the plugin’s settings, if an attacker could successfully trick an administrator into performing an action such as clicking a link.

Full article:

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

 These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.

Full article at

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.

The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.

None of the sites currently under management by are affected by this bug.

Full details:

Critical Vulnerability Patched in WooCommerce Upload Files

Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin.

All of our current clients are protected against this vulnerability.

The threat researchers at WordFence detailed a critical 0-day vulnerability in the WooCommerce Upload Files plugin that would have allowed attackers to infect and completely take over a website. This vulnerability has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Full article at:

Medium Severity Vulnerability Patched in User Profile Picture Plugin

Discovered 2/15/21, update issues 2/18/21.

User Profile Picture is a plugin designed to allow site owners to upload profile pictures for individual users. By default, WordPress will set a users profile picture to the associated Gravatar, if present, for any given email. This plugin makes it so that user profile pictures can be customized and can override the Gravatar associated with an email address.

One feature the plugin offered was the ability to add user profiles to a post using a Gutenberg block. When adding the block to a post, the plugin made a request for user data to retrieve the users profile picture and username for users with access to the Gutenberg editor in order to add the information to the block. To retrieve this information, the plugin registered the REST API route /mpp/v2/get_users tied to the rest_api_get_users function.

Unfortunately, this REST API endpoint returned more information than was required for its functionality. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Full article: