The plugin Orbit Fox by ThemeIsle, a multi-functionality plugin installed on over 400,000 sites, has been found to carry two critical vulnerabilities. The vulnerabilities can potentially allow attackers to take over a WordPress website or inject malicious JavaScript into posts.

These are critical severity vulnerabilities and so have been addressed and patched urgently. With that, we strongly recommend updating to the patched version, 2.10.3, immediately if you have the plugin installe on your website.

For more information, please check the official public release.

If you have questions, don’t hesitate to contact our support team.

A security update has been released for the plugin, Contact Form 7, one of the most popular WordPress plugins with more than 5 million users.

The security update is meant to address a vulnerability with the file upload functionality in Contact Form 7. While the vulnerability itself is not easily exploitable, but with the popularity, it may be inevitable for attackers to target this vulnerability.

We strongly recommend an immediate update to version 5.3.2 to ensure your website is kept secure. If you aren’t using the file upload functionality, this issue doesn’t apply but it is still recommended to keep the plugin updated.

For more information, please check the official public release.

If you have questions, don’t hesitate to contact our support team.

Two reflected Cross-Site Scripting (XSS) vulnerabilities were found on the plugin PageLayer which is installed on over 200,000 sites. This is a critical issue as it could allow an attacker to take over a vulnerable WordPress site.

These vulnerabilities have been fully patched in version 1.3.5 and we strongly recommend all users update to the latest version.

For more information, please check the official public release.

If you have questions, don’t hesitate to contact our support team.

The popular page-builder plugin WPBakery, installed in over 4 million websites, was discovered to host a critical flaw that allowed for attackers with contributor-level or above permissions, to inject malicious JavaScript in posts.

After a long period of patch development by the plugin team, a working patch was finally released on September 24, 2020.

We highly recommend updating to the latest version immediately (version 6.4.1 or higher). Simultaneously, we also recommend double-checking your website user list to make sure that no untrusted contributor-level or higher accounts have made their way inside.

For more information, please check the official public release.

If you have questions, don’t hesitate to contact our support team.

We are seeing a disturbing trend emerging from the WordPress community in the past few days and that is an upsurge of reported security breaches. We strongly recommend website admins to perform a security scan of their websites right now and address issues if any.

The clean-up requests we’ve received have surged and here are just some of the scan reports we’ve received:

One of the likely culprits for these breaches is the recently discovered critical security flaw with the WP File Manager plugin. Read the reports here:

https://arstechnica.com/information-technology/2020/09/hackers-are-exploiting-a-critical-flaw-affecting-350000-wordpress-sites/

https://www.techradar.com/news/millions-of-wordpress-sites-targeted-using-major-security-flaw

In any case, this is the most widespread breach we’ve seen over the years and should not be taken lightly.

Even if you do not have the WP File Manager plugin installed, we strongly recommend an immediate scan of your websites using Wordfence or any similar security plugin. And clean up issues ASAP if any are found.

If you have any questions or need assistance, don’t hesitate to contact our support team.

Secure your WordPress website