TL;DR: We have found no evidence that the new Trojan Source method has been used to sneak in backdoors in any of the WordPress plugins listed on WordPress.org (CVE-2021-42694 and CVE-2021-42574) A new vulnerability affecting the supply chain of Source Code for projects like Go, PHP, Python, JavaScript and many more programming languages. The vulnerability …
In this guide you will learn how to install and protect WordPress with the Open Source Web Application Firewall (WAF) ModSecurity. We will also install the latest protection rules from the OWASP Core Rule Set (CRS). A WAF is a great addition to the Cyber Security protection for your WordPress blog or website and can …
Protecting WordPress with Open Source Web Application Firewall ModSecurity Read More »
On 15th July 2021, news was going around regarding an unauthenticated SQL Injection in WooCommerce. WooCommerce released a blog post about the vulnerabilities here: https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/#. The vulnerabilities were detected on the 13th of July and fixed in WooCommerce versions 3.3.6 to 5.5.1 and WooCommerce Blocks versions 2.5.16 to 5.5.1. This blog post is a short …
WooCommerce Unauthenticated SQL Injection Vulnerability Read More »
On 13th May 2021, WordPress released WordPress 5.7.2, which was a security release fixing one vulnerability that affected versions 3.7 to 5.7. This vulnerability is a PHP Object Injection vulnerability in PHPMailer (CVE-2020-36326, CVE-2018-19296) that occurs via the addAttachment function with a UNC pathname. You may notice that there are two CVE’s in the security …
WordPress versions 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11 are affected to XML eXternal Entity vulnerability where an authenticated user with the ability to upload files in the Media Library can upload a malicious WAVE file that could lead to remote arbitrary file disclosure and server-side request forgery (SSRF). WordPress uses ID3 library to parse information about an audio …
WordPress XXE Vulnerability in Media Library – CVE-2021-29447 Read More »
A high-severity Unrestricted File Upload vulnerability, tracked as CVE-2020–35489, was discovered in a popular WordPress plugin called Contact Form 7, currently installed on 5 Million+ websites making them vulnerable to attacks like phishing, complete site take-over, data-breach, phishing and credit card frauds. In this blog-post, we will cover what caused the flaw, an example Proof-Of-Concept (PoC) showing exploitation in a …
Update: Due to some problems with the 5.5.2-release 5.5.3 was quickly released. WordPress 5.5.2 has been released and it contains ten security issues affecting WordPress version 5.5.1 and earlier. If you haven’t yet updated to 5.5, all previous WordPress versions since 3.7 have also been updated to fix the following security issues: Alex Concha of …
WordPress is a huge platform that powers a large number of websites. This service makes it easy for both programmers and non-programmers to develop different websites. With WordPress, there are different kinds of themes, plugins and more. However, since most of these things are created by third-party developers, there are chances that there will be …
WordPress plugin WP File Manager actively exploited Read More »
When it comes to WordPress, keeping your theme, plugins, and WordPress core is one of the most important tasks you have as a website owner. However, most website owners are often guilty of not applying updates and running with outdated versions of their themes and plugins. Needless to say, this leaves your website vulnerable to …
WordPress to add auto-update feature for themes and plugins Read More »
As many of you know, WordPress is written in PHP. Finding backdoors in PHP and WordPress code can be quite tricky and sometimes almost impossible: Since backdoors could be hidden anywhere in the code and look like regular code with human coding errors, and a regular installation of WordPress consists of about 432,709 lines of …