Inspiro Pro < 7.2.3 - Contributor+ Stored Cross-Site Scripting


The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.

Proof of Concept

Steps to reproduce:
1) As a Contributor, go to portfolio on the dashboard and add new item.
2) on the editing page that comes up, scroll down to the slider section
3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>"
4) save and preview the item and watch the script trigger.
5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered 


Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin

Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.

After reviewing historical data, we determined that attackers started targeting this vulnerability on August 26, 2022, and that we have blocked 4,948,926 attacks targeting this vulnerability since that time.

The vulnerability affects versions to, and has been fully patched as of September 2, 2022 in version 8.7.5. Due to the fact that this is an actively exploited vulnerability, we strongly encourage you to ensure your site has been updated to the latest patched version 8.7.5 (or later) which iThemes has made available to all site owners running a vulnerable version regardless of licensing status.

All customers have been and will continue to be protected against any attackers trying to exploit this vulnerability due to the Wordfence firewall’s built-in directory traversal and file inclusion firewall rules. Of course, we have also updated your plugin.

Source and more details:

WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know

On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.

These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

They have determined that these vulnerabilities are unlikely to be targeted for exploitation due to the special cases needed to exploit. In most circumstances these vulnerabilities require either elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin. Nonetheless, the Wordfence firewall should protect against any exploits that do not require administrative privileges. In nearly all cases administrators already have the maximum level of access and attackers with that level of access are unlikely to use convoluted and difficult exploits when simpler paths to making configuration changes or obtaining sensitive information are readily available.

Source and more details at:

WordPress 6.0.1 released

WordPress 6.0.1 was released on July 12, 2022.

This maintenance release features 12 bug fixes in Core and 18 bug fixes for the block editor.

Details on the 6.0.1 release:

Details on the upcoming 6.1 release:,patterns%20and%20managing%20saved%20patterns.

730K WordPress sites force-updated to patch critical Ninja Forms plugin bug

WordPress sites using Ninja Forms, a forms builder plugin with more than 1 million installations, have been force-updated en masse this week to a new build that addresses a critical security vulnerability likely exploited in the wild.

The vulnerability is a code injection vulnerability affecting multiple Ninja Forms releases, starting with version 3.0 and up.

Wordfence threat analyst Ramuel Gall discovered when reverse-engineering the patch that unauthenticated attackers can exploit this bug remotely to call various Ninja forms classes using a flaw in the Merge Tags feature.

Successful exploitation allows them to completely take over unpatched WordPress sites via several exploitation chains, one of them allowing remote code execution via deserialization to completely take over the targeted website.

“We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” Wordfence threat intelligence lead Chloe Chamberland said.

“This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.”

Samuel Wood, a WordPress developer, said in October 2020 that Automattic had used forced security updates to push “security releases for plugins many times” since WordPress 3.7 was released.

As Automattic security researcher Marc Montpas also told BleepingComputer in February, forced patching is used regardless of their admins’ settings in “very rare and exceptionally severe cases.”

Source and more details:

See also:

Cross-Site Scripting Vulnerability In Download Manager Plugin

Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. It was assigned a vulnerability identifier of CVE-2022-1985.

All Wordfence users, including FreePremiumCare, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection.

Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of Download Manager, which is version 3.2.43 at the time of this publication.

As usual, all ProtectYourWP clients who use Download Manager have already been updated.

Source and more details:

WordPress 6.0 Released

The majority of our client sites have already been upgraded to WP 6.0. We’ll be upgrading the rest in the near future – once we have taken recent backups of the site at the current 5.9.3 version. To our knowledge only one site has had any problems, but do let us know if the upgrade has broken anything on your site!

Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes

The Wordfence Threat Intelligence team discovered a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

Fully patched versions of all vulnerable components were made available on May 10, 2022.

Full details at:

You Need to Update iOS, Android, and Chrome Right Now

APRIL HAS BEEN a big month for security updates, including emergency patches for Apple’s iOS and Google Chrome to fix vulnerabilities already being used by attackers.

Microsoft has released important fixes as part of its mid-April Patch Tuesday, while Android users across multiple devices need to make sure they are applying the latest update when it becomes available.

Apple iOS and iPadOS 15.4.1, macOS 12.3.1

Just two weeks after the launch of iOS 15.4, Apple issued iOS and iPad 15.4.1 to fix a vulnerability in AppleAVD that’s already being used to attack iPhones. By exploiting the vulnerability, labeled CVE-2022-22675, adversaries could execute arbitrary code with kernel privileges via an app, according to Apple’s support page. This could give an attacker full control over your device, so it’s important to apply the fix.

As an added bonus, iOS and iPadOS 15.4.1 fixes a battery drain issue affecting some iPhones on iOS 15.4. The updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.

Meanwhile, macOS Monterey 12.3.1 fixes the same issue in macOS, as well as another vulnerability in the Intel graphics driver, CVE-2022-22674, which could allow an app to read kernel memory. It’s another important fix—Apple says the issue may have been exploited by attackers.

Apple also released tvOS 15.4.1 and watchOS 8.5.1 including bug fixes.

Apple updates have been coming thick and fast over the past year, with the iPhone maker fixing a number of significant vulnerabilities, including the zero-click issue exploited by the Pegasus spyware, the highly targeted malware developed by Israeli firm NSO Group. This was the subject of a recent report by security researchers at Citizen Lab, who have detailed how Pegasus and other similar zero-click attacks targeted members of the European Parliament, legislators, political activists, and civil society organizations.

A zero-click attack is particularly scary because, as the name implies, it requires no interaction to work. That means an image sent via iMessage could infect your iPhone with spyware.

Citizen Lab detailed a previously undisclosed iOS zero-click vulnerability called HOMAGE used by NSO Group. Some iOS versions prior to iOS 13.2 could be at risk, making it all the more important your iPhone is up to date.Android’s April 2022 Patches

Android users also need to be on alert, as Google has patched 44 flaws in its mobile operating system this month. According to Google’s Android Security Bulletin, the most severe issue in the framework component could allow local privilege escalation without any interaction from the user.

The update is split into two parts: the 2022-04-01 security patch level for most Android devices, and the 2022-04-05 security patch level applying to specific phones and tablets. The later of the two fixes 30 issues in system and kernel components, among other areas. There are also patches for five security issues specific to Google’s Pixel smartphones, one of which could allow an app to escalate privileges and execute code on certain versions of Linux.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.


PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

They received a response the same day and sent over their full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.

As usual, all our ProtectYourWP clients who use this plugin were updated to the patched version within 24 hrs of its release.