Mark Maunder co-founded Wordfence in 2011 after his WordPress site was hacked and he learned how hard it was to clean and secure. Today the team has grown to over 35 members world-wide and Wordfence protects over 3 million WordPress sites. On the Think Like a Hacker podcast, we cover interesting topics related to WordPress, security and innovation. Episodes alternate between security news and interviews with innovators from WordPress and information security communities.
WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability
An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over 1 million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update to fix an actively exploited zero-day vulnerability. And a new feature in Jetpack allows users to post Tweetstorms through WordPress.
How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress
This week, we chat about the CSRF vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform. We discuss the benefits of adding application passwords for REST API authentication planned for WordPress version 5.6, and the ramifications of the critical, wormable RCE bug patched by Microsoft.
WPBakery Plugin Vulnerability Exposes Over 4 Million Sites
A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users' profiles, and a card skimmer was found on Boom! Mobile's web site, putting customer card data at risk.
Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks
Shopify reports that rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers' earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.
XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty
Our Threat Intelligence team discovered vulnerabilities in XCloner Backup and Restore, affecting 30K+ sites. CISA is warning of persistent malicious activity connected to LokiBot. An API change will break Facebook & Instagram oEmbed links after October 24. Google has launched the Web Stories for WordPress plugin making full-screen, tappable content possible. Drupal patches a critical reflected XSS vulnerability, & a critical stored XSS vulnerability in Instagram's Spark AR Studio nets a 14-year-old $25,000.
Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows
Vulnerabilities were patched in the Discount Rules for WooCommerce plugin installed on 40k+ WordPress sites. Developers from OWASP said ModSecurity v3 is exposed to denial of service exploits, though maintainers of ModSecurity reject that claim. A severe vulnerability in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. A researcher discovered that the Windows TCPIP Finger command can function as a file downloader & a makeshift command & control server.
Customer ReviewsSee All
What an informative Podcast for the WP community. Loving the new format! Keep up the good work.
Just enough geek, just enough intrigue, just enough business
I’ve been listening since episode 1 and have really been enjoying it... and they are really hitting their stride (especially after episode 21 when Mark declared the podcast ‘of legal drinnng age’ LOL 😂 ) Technical discussion of risks and breaches. Storied discussion of real impacts to real people and real businesses. Practical discussion of actions to take and/or what to watch for. Real conversations with experts in the field and real business owners.
Such a great show!!
I love this podcast. It's super interesting and super informative, with a great format. Keep up the great work, Wordfence crew!