Jonas Lejon

Vulnerability in WordPress WP GDPR Compliance plugin

The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to update the database. The plugin has more than 100 000+ active installations according to WordPress.org. WPScans.com has been updated to check for this …

Vulnerability in WordPress WP GDPR Compliance plugin Read More »

WordPress 4.9.2 is now available

WordPress 4.9.2 is now available for download. This release is a security and maintenance release for all versions since WordPress 3.7. WPScans strongly encourage you to update your sites immediately. We also recommend using WPScans.com to scan your WordPress installation. This release contains a critical security fix for a XSS security bug in the Media Elements library …

WordPress 4.9.2 is now available Read More »

WordPress Backdoor detection

WPSec can now detect at least three different backdoored WordPress plugins. The plugins are: Duplicate Page and Post 2.1.0-2.1.1 No Follow All External Links 2.1.0-2.3.0 WP No External Links 4.2.1-4.3 We recommend that you run the free scan available at www.wpsec.com

How to sniff WordPress login credentials with Wireshark over an HTTP connection

Wireshark is a network protocol analyzer that can provide granular visibility on traffic traversing your network. It runs on a wide variety of operating systems and can be used it to view live traffic or capture traffic to a file for offline analysis. Virtually all known network protocols are supported, including IPsec, ISAKMP, Kerberos, SNMPv3, …

How to sniff WordPress login credentials with Wireshark over an HTTP connection Read More »

New WordPress Vulnerability checks – Week 49

WPScans.com has been updated with the following new vulnerability checks: Content Cards <= 0.9.6 – Cross-Site Scripting (XSS) WP Mailster <= 1.5.4 – Unauthenticated Cross-Site Scripting (XSS) Apocalypse Meow <= 21.2.7 – BCrypt Authentication Bypass Smart Marketing SMS and Newsletters Forms <= 1.1.1 – Unauthenticated Cross-Site Scripting (XSS) Run your free WordPress Security Scan at …

New WordPress Vulnerability checks – Week 49 Read More »

WordPress 4.9.1 Security and Maintenance Update

WordPress 4.9.1 has now been released. This update is a security and maintenance release for all versions since WordPress 3.7. WPScans strongly encourage you to update your WordPress sites immediately. WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core …

WordPress 4.9.1 Security and Maintenance Update Read More »

WordPress 4.8.3 Security Release

A new WordPress version was just release. This new version addresses a security problem with the $wpdb->prepare() function. From the release notes: WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added …

WordPress 4.8.3 Security Release Read More »

WPScans is now available as a Hidden Service on Tor

You can now connect to WPScans using the Tor onion network. WPScans is now a Hidden Service and you can use the following address to reach WPScans from TorBrowser or Tails: wpscanskzvjc4s2s.onion This is a screenshot from the Tor Browser: Screenshot from The Amnesic Incognito Live System, Tails visiting the onion url: