Hackers are fighting a war over 300K vulnerable WordPress sites

Attackers who are actively exploiting a critical remote code execution flaw affecting over 600,000 of WordPress sites running vulnerable File Manager plugin versions have also been seen protecting the sites they compromise from other threat actors’ attacks.

The critical vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code following successful exploitation [12, 3]. File Manager’s dev team addressed the flaw with the release of File Manager 6.9.

Even though the flaw was patched within hours after the devs were informed by Seravo’s…


More Info

Exploring Seedlet, Automattic’s Block-First WordPress Theme – WordPress Tavern

On August 26, Automattic launched a new theme titled Seedlet that focused on integrating with the WordPress block editor. A few days later, it was also live in the WordPress.org theme directory. The theme development team wanted to produce a theme that would be in a good position to transition to full-site editing later this year as WordPress 5.6 lands.

Seedlet makes wide use of features that integrate with the block editor. It does so in what is the simplest of ways, which is a testament to how much easier theme development is becoming in the dawn of the block-based themes era….


More Info

How To Buy Hosting & Domain Name For Your WordPress site?

WordPress Plug-in Has Critical Zero-Day – Dark Reading

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database

CVE-2020-1913
PUBLISHED: 2020-09-09

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes per…

CVE-2020-24379
PUBLISHED: 2020-09-09

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

CVE-2020-24916
PUBLISHED: 2020-09-09

CGI…


More Info

Reflected XSS in WordPress Plugin Admin Pages

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause.

While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or Clickjacking attacks. By using these techniques, an attacker can exploit a vulnerability on the behalf of an…


More Info

Brandezk Launches Ecommerce Development on Shopify, Magento, and WordPress

NEW YORK, Sept. 07, 2020 (GLOBE NEWSWIRE) — Brandezk, a renowned web design agency, recently announced the introduction of E-commerce development services on its website. The company announced its development services for several platforms, including Shopify, Magento, WordPress, and also announced the development of 100% made-to-order E-commerce stores for clients having custom needs.

The company has specialized in providing mobile app development services for years. The recent shift in the company’s modus operandi, as stated by the managing director of the company, was made ‘in…


More Info

Millions of WordPress sites are being probed & attacked with recent plugin bug

Millions of WordPress sites have been probed and attacked this week, Defiant, the company behind the Wordfence web firewall said on Friday.

The sudden spike in attacks happened after hackers discovered and started exploiting a zero-day vulnerability in “File Manager,” a popular WordPress plugin installed on more than 700,000 sites.

The zero-day was an unauthenticated file upload vulnerability[12] that allowed an attacker to upload malicious files on a site running an older version of the File Manager plugin.

It’s unclear how…


More Info

WordPress Support Team Seeks to Curb Support Requests for Commercial Plugins and Themes – WordPress Tavern

WordPress’ Support Team contributors are discussing how they can curb support requests for commercial products on the official WordPress.org forums. Users sometimes seek help for commercial product upgrades on the forums of the free version, not knowing that the moderators’ official policy is to refer them to the extension’s commercial support channel. In other instances, it is not immediately clear whether the issue is with the free version or a paid upgrade that the user has installed.

“This has come up a few times the past weeks, mostly in relation to plugins that…


More Info

Gutenberg 8.9 Brings Block-Based Widgets Out of the Experimental Stage – WordPress Tavern

On Wednesday, September 2, Gutenberg 8.9 launched with a set of new features, enhancements, and several bug fixes. The development team took the block-based widgets system out of its experimental stage, making it the default experience for all plugin users.

Block-based widgets have taken months upon months of work. The team has surpassed some of my expectations by essentially sticking a square peg into a square hole, granting the power of blocks to the sidebars/widgets system. On the whole, the system works. However, the team still has a lot of work to mold this feature into the…


More Info