WP Maintenance Mode

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Remote Code Execution (RCE) Vulnerability in WP Maintenance Mode

_{Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.}

Wordfence describes the remote code execution (RCE) vulnerability in WP Maintenance Mode version 2.0.6 as “allows unsanitized user input to be evaluated as PHP code. In WordPress Multisite, a site administrator could exploit this vulnerability to execute shell commands, access sensitive information, escalate privileges or cause denial of service”. [Read more]

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Missing Authorization Vulnerability in WP Maintenance Mode

_{Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.}

Wordfence describes the missing authorization vulnerability in WP Maintenance Mode version 2.0.6 as “This vulnerability allows an attacker with a subscriber level account to modify plugin settings.”. [Read more]

11 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Information Disclosure Vulnerability in WP Maintenance Mode

_{Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.}

Wordfence describes the information disclosure vulnerability in WP Maintenance Mode version 2.0.6 as “allows a remote attacker to download the list of subscribers from WP Maintenance Mode who have asked to be notified when a site returns to full functionality. To exploit this vulnerability, an attacker simply needs to have a registered account on the victim site with no special permissions.”. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: WP Maintenance Mode

Protecting You Against Wordfence’s Bad Practices: Remote Code Execution (RCE) Vulnerability in WP Maintenance Mode

Protecting You Against Wordfence’s Bad Practices: Missing Authorization Vulnerability in WP Maintenance Mode

Protecting You Against Wordfence’s Bad Practices: Information Disclosure Vulnerability in WP Maintenance Mode