How Malware Can Abuse the .htaccess File
You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a...
View ArticleSQL Injection Discovered And Fixed In Slimstat Analytics and Paid Memberships...
During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak...
View ArticleMultiple vulnerabilities in WP Fastest Cache plugin
During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue....
View ArticleSecurity Issues Patched in Smash Balloon Social Post Feed Plugin
During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account...
View ArticleSevere Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3
During an internal audit of the All In One SEO plugin, we uncovered an SQL Injection vulnerability and a Privilege Escalation bug. If exploited, the SQL Injection vulnerability could grant attackers...
View ArticleBackdoor Found in Themes and Plugins from AccessPress Themes
Update Feb. 1 – Changed the “Affected themes” section to reflect that new versions of the themes are starting to appear. While investigating a compromised site we discovered some suspicious code in a...
View ArticleSevere Vulnerability Fixed In UpdraftPlus 1.22.3
During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups....
View ArticleBackdoor found in The School Management Pro plugin for WordPress
Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin...
View ArticleCapture the Flag at WordCamp Europe 2022
During WordCamp Europe 2022, we ran a WordPress Capture The Flag (CTF) competition across four challenges. We wanted to introduce folks to the addictive world of CTF, and let people experience how...
View ArticleVulnerabilities Found in the 3DPrint Premium Plugin
The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These...
View Article