Backdoor Found in Themes and Plugins from AccessPress Themes
Update Feb. 1 – Changed the “Affected themes” section to reflect that new versions of the themes are starting to appear. While investigating a compromised site we discovered some suspicious code in a...
View ArticleSevere Vulnerability Fixed In UpdraftPlus 1.22.3
During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups....
View ArticleBackdoor found in The School Management Pro plugin for WordPress
Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin...
View ArticleClik here to view.
Capture the Flag at WordCamp Europe 2022
During WordCamp Europe 2022, we ran a WordPress Capture The Flag (CTF) competition across four challenges. We wanted to introduce folks to the addictive world of CTF, and let people experience how...
View ArticleVulnerabilities Found in the 3DPrint Premium Plugin
The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These...
View ArticleClik here to view.
Fake plugin wave affecting WordPress sites
Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small...
View ArticleHow Malware Can Abuse the .htaccess File
You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a...
View ArticleSQL Injection Discovered And Fixed In Slimstat Analytics and Paid Memberships...
During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak...
View ArticleClik here to view.
MainWP Partners with Jetpack for WordPress Security
Managing multiple WordPress sites can be stressful. With the average WordPress site running 22 plugins, it’s crucial that every vulnerability is accounted for. That’s why we’re thrilled to announce...
View ArticleClik here to view.
10 Best Tools to Check a Website for Malware & Virus Infections
As a website owner, you’ve worked hard to develop your website and build your business. But, with Google issuing over three million safe browsing warnings a day, it’s clear that you have to be...
View ArticlePassword Reuse: A Major Vulnerability You Need to Avoid
Safeguarding personal and business information is more crucial than ever. One common, yet often overlooked, vulnerability that can compromise this safety is password reuse. What seems like a simple...
View ArticleClik here to view.
What is Vulnerability Scanning & How Does it Work?
Imagine waking up to find your website has been hacked overnight. It’s not a fun thing to picture and something no business ever wants to face. Thankfully, vulnerability scanning can act as a watchdog...
View ArticleWhat is PHP Object Injection? An In-Depth Guide with Examples
PHP object injection is a serious security threat that can have devastating consequences for websites and web applications. In this guide, we’ll explore what PHP object injection is, how it works, and...
View ArticleClik here to view.
XSS vs CSRF Attacks: How They Differ and How to Counter Them
Cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks are among the most common dangers for modern websites. Understanding how these attacks work and how to prevent them is...
View ArticleClik here to view.
What Are XSS Attacks on WordPress? (And How to Prevent Them)
Cross-site scripting (XSS) is one of the most common vulnerabilities reported in web applications. It often results in hackers stealing information (like login credentials) or changing content on your...
View ArticleMultiple vulnerabilities in WP Fastest Cache plugin
During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue....
View ArticleSecurity Issues Patched in Smash Balloon Social Post Feed Plugin
During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account...
View ArticleSevere Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3
During an internal audit of the All In One SEO plugin, we uncovered an SQL Injection vulnerability and a Privilege Escalation bug. If exploited, the SQL Injection vulnerability could grant attackers...
View ArticleBackdoor Found in Themes and Plugins from AccessPress Themes
Update Feb. 1 – Changed the “Affected themes” section to reflect that new versions of the themes are starting to appear. While investigating a compromised site we discovered some suspicious code in a...
View ArticleSevere Vulnerability Fixed In UpdraftPlus 1.22.3
During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups....
View Article