Reflected XSS in Header Footer Code Manager

On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations. The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, … Read more

WordPress 5.9.1 Maintenance Release

WordPress 5.9.1 is now available! This maintenance release features 82 bug fixes in both Core and the block editor. WordPress 5.9.1 is a short-cycle maintenance release. The next major release will be version 6.0. You can download WordPress 5.9.1 from WordPress.org, or visit your Dashboard → Updates and click “Update Now”. If you have sites that support automatic … Read more

WP Briefing: Episode 25: Five Cents on Five for the Future

In this twenty-fifth episode of the WordPress Briefing, Executive Director, Josepha Haden Chomphosy discusses future-proofing the WordPress project with the Five for the Future pledge. Have a question you’d like answered? You can submit them to wpbriefing@wordpress.org, either written or as a voice recording. Credits Editor: Dustin HartzlerLogo: Beatriz FialhoProduction: Chloé Bringmann & Santana InnissSong: Fearless First by … Read more

Friday Fun: From Idea to Animated Film

It’s Friday, and I thought we’d have fun talking about something a little different. At Wordfence, one of my priorities is fostering a strong creative team and culture, and investing in creators. Emily Dalmas joined us as a full-time producer almost a year ago via her job as Associate Producer for The Tonight Show Starring … Read more

Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups

On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, updated with a security fix for a vulnerability discovered by security researcher Marc Montpas. This vulnerability allowed any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration … Read more