When it comes to content management systems such as WordPress, hackers will often exploit file upload mechanisms to distribute malicious files which can be used to execute malicious code on a website, infect other websites, and allow hackers to gain full control over a server where your website is hosted. In an effort to prevent …
Dozens of File Upload Vulnerabilities Found in Web Apps Read More »
A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2020-9334, exists in a popular WordPress plugin called Envira Photo Gallery, rendering over 100,000 websites vulnerable to phishing attacks, stealing administrator’s session tokens, etc. In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps. What is the Envira …
CVE-2020-9334: Stored XSS vulnerability in Popular Gallery Plugin for WordPress Read More »
A non-trivial CSV injection vulnerability was discovered in a popular WordPress plugin called Events Manager v5.9.7.1 (active on 100,000+ websites). This makes the users’ machine vulnerable to remote attackers who can execute arbitrary commands on it. In this Blog-post, we will dive deep into what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation …
100,000+ WordPress sites vulnerable due to Events Manager Plugin Read More »
A high-severity Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2020–8417, exists in a popular WordPress plugin called Code Snippets, rendering over 200,000 websites vulnerable to site takeover. In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps. What is the Code Snippets Vulnerability? The National Vulnerability …
From CSRF to RCE and WordPress-site takeover: CVE-2020-8417 Read More »
According to the latest Sucuri Hacked Website Report (2018), 90% of scanned WordPress websites were infected with one or more vulnerabilities last year. That’s up 7% from the previous year and shows you just how vulnerable WordPress websites can be. (Source) While the WordPress core is built to be as secure as possible, relying on …
Why You Should Perform WordPress Vulnerability Scanning Read More »
As of now, the WordPress content management system (CMS) dominates the web. In fact, WordPress powers 35% of the worldwide web, which is pretty impressive seeing as there are over 1.7 billion websites online right now. The thing is, many people will claim that WordPress is insecure. After all, according to Sucuri, a leading website …
WordPress 5.3.1 is a security and maintenance release that has 46 fixes and enhancements. And even better, it fixes serval security problems found by the following people: Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API. Simon Scannell of RIPS Technologies for finding and disclosing an issue …
WordPress 5.3.1 security and maintenance release Read More »
WPSec.com, Our WordPress Vulnerability Security Scanner has been updated with new functionality and reliability changes. Detect WAF – If there is a scanning problem such as a timeout, we will try to detect if there is a Web Application Firewall (WAF) blocking us. And if there is we will notify you via E-mail or on …
Even if WordPress 5.3 isn’t a security release there are still some interesting new security related updates in this version. Trusted CA Bundle Update The root CA bundle has been updated with new CA:s and some removed. The downside is thought that there is still some 1024 bit RSA CA certificates still in the bundle …
WordPress 5.2.4 is now available, it’s a short-cycle security release. The next major release will be version 5.3. This security release fixes six security issues. WordPress versions 5.2.3 and earlier are affected by these security bugs, which are fixed in version 5.2.4. There are also security updates to WordPress 5.1 and earlier. List of Security …