Cross-Site Request Forgery Patched in WP Fluent Forms

Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site.

A patched version of the plugin, 3.6.67, was released on March 5, 2021


High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

The Wordfence Threat Intelligence team discovered and reported a vulnerability in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long as they could trick a site’s administrator into performing an action like clicking on a link.

A patch was quickly released on May 28, 2021 in version 2.6.0.


Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.

Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect their sites to a account. One of these features allows users that are logged in to to perform administrative tasks, including plugin installation, on sites that are connected to via Jetpack.

Unfortunately this means that if the credentials for a account are compromised, an attacker can login to that account and install arbitrary plugins on the connected WordPress site no matter where it is hosted. This includes the malicious plugin used in this campaign. We’ve written about this intrusion vector in the past, and it is regaining popularity due to a number of recent data breaches from other services.

To clarify, no data breach has occurred at itself. However, password reuse is incredibly common, and credentials obtained from recent data breaches are likely to grant access to a number of user accounts. Additionally, although it is possible to configure Jetpack to allow direct login to a site via credentials, this setting does not need to be enabled in order for a site to be vulnerable. All that is required is that a site be connected to a account that has compromised credentials.

What should I do?

If you use Jetpack, you should turn on 2-Factor authentication at While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.

If you use the same password for your account that you’ve used for any other service, change your password immediately.


Critical 0-day in Fancy Product Designer Under Active Attack

A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise.

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.


Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

The Wordfence Threat Intelligence team reported several vulnerabilities they had discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites. One of these flaws made it possible for unauthenticated users to update redirects for the site allowing an attacker to redirect all site traffic to an external malicious site. In addition, there were several remaining flaws that made it possible for authenticated users to perform actions like installing and activating plugins, in addition to less critical actions.

An initial patch was released on April 15, 2021, and a fully patched version of the plugin was released on May 5, 2021 as version 2.0.4.


Over 600,000 Sites Impacted by WP Statistics Patch

The Wordfence Threat Intelligence team discovered and reported a vulnerability in WP Statistics, a plugin installed on over 600,000 WordPress sites.

The vulnerability allowed any site visitor to extract sensitive information from a site’s database via Time-Based Blind SQL Injection.

We received a response to our initial disclosure the same day, on March 13, 2021, and sent the full disclosure to the plugin’s developers at VeronaLabs. A patch for this vulnerability was released on March 25, 2021.


Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, the WordFence Threat Intelligence team discovered a vulnerability in External Media, a WordPress plugin used by over 8,000 sites, and reported it to the developer. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote code execution and take over a WordPress site.

After several minor patches and follow-ups with the developer, a fully patched version was released as version 1.0.34.

This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, 1.0.34, immediately.

All of our client sites have of course been updated.

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

The CleanTalk WordPress plugin has a number of uses, but one of its primary purposes is to protect sites against spam comments. Part of how it does this is by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Many of our users have CleanTalk installed.

The vulnerability was patched on March 10 and the update was applied to all our client sites within 24 hrs. Fortunately, we’re not aware of any clients having become victims.

Article source:

Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro

From WordFence:

Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together.

Despite only having an estimated install count of roughly 30,000 sites, nearly 60% of which should now be running a patched version of the plugin, over 2.8 million sites protected by Wordfence have been targeted by this campaign since April 8, 2021. It is likely that these numbers are reflected by the larger WordPress ecosystem as a whole and that millions of sites that are not protected by Wordfence are also being attacked.

The original vulnerability was already being actively attacked when it was reported by hosting company Seravo, making it a 0-day at the time. This vulnerability allowed attackers to login as an administrator or to create new administrative accounts on any site with the plugin installed. While analyzing the plugin, the Wordfence Threat Intelligence team found additional vulnerabilities and notified the plugin’s developer. A firewall rule protecting against these vulnerabilities was released to our premium users on March 8, 2021, and became available to free users on April 7, 2021.