The popular page-builder plugin WPBakery, installed in over 4 million websites, was discovered to host a critical flaw that allowed for attackers with contributor-level or above permissions, to inject malicious JavaScript in posts.

After a long period of patch development by the plugin team, a working patch was finally released on September 24, 2020.

We highly recommend updating to the latest version immediately (version 6.4.1 or higher). Simultaneously, we also recommend double-checking your website user list to make sure that no untrusted contributor-level or higher accounts have made their way inside.

For more information, please check the official public release.

---

If you have questions, don’t hesitate to contact our support team.

We are seeing a disturbing trend emerging from the WordPress community in the past few days and that is an upsurge of reported security breaches. We strongly recommend website admins to perform a security scan of their websites right now and address issues if any.

The clean-up requests we’ve received have surged and here are just some of the scan reports we’ve received:

One of the likely culprits for these breaches is the recently discovered critical security flaw with the WP File Manager plugin. Read the reports here:

https://arstechnica.com/information-technology/2020/09/hackers-are-exploiting-a-critical-flaw-affecting-350000-wordpress-sites/

https://www.techradar.com/news/millions-of-wordpress-sites-targeted-using-major-security-flaw

In any case, this is the most widespread breach we’ve seen over the years and should not be taken lightly.

Even if you do not have the WP File Manager plugin installed, we strongly recommend an immediate scan of your websites using Wordfence or any similar security plugin. And clean up issues ASAP if any are found.

---

If you have any questions or need assistance, don’t hesitate to contact our support team.

Secure your WordPress website

A critical flaw has just been recently disclosed for the widely used payment gateway, WooCommerce extension NAB Transact. By exploiting a vulnerability in the plugin, attackers could potentially fool vendor systems into believing payment has already been settled.

For users of this plugin, it is critical that you update the plugin on your website immediately. The issue is present for version 2.1.0 and older, and has been patched in version 2.1.2.

For more information, please check the official public release.

---

If you have questions, don’t hesitate to contact our support team.

WordPress 5.5 “Eckstine” Release

WordPress.org has just released WordPress 5.5 “Eckstine”, which arrives with a host of speed, security, search, accessibility, block editor, and developer functionality improvements.

For more information, please check the official public release.

WooCommerce 4.3.2 Fix Release

As for Woocommerce, they have just shipped a minor fix release that improves compatibility with the aforementioned WordPress 5.5 release.

For more information, please check the official public release.

---

If you have questions, don’t hesitate to contact our support team

The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites, is a simple plugin that adds a “Facebook Messenger” chat pop-up to a WordPress site and connects a chosen Facebook page to receive messages and interact with site visitors.

A flaw was discovered taking advantage of this, which made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site and engage in chats themselves.

We highly recommend updating to version 1.6 immediately to keep your site protected against any attacks attempting to exploit this vulnerability.

For more information please check the official public release.

---

If you have questions, don’t hesitate to contact our support team.