Clik here to view.
Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro
While investigating the SiteGround Optimizer and Caldera Forms Pro plugins we have discovered a critical privilege escalation vulnerability. It was not being abused externally and impacts over 500,000...
View ArticleClik here to view.
Arbitrary Directory Deletion in WP-Fastest-Cache
The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to...
View ArticleClik here to view.
0day Vulnerability in Easy WP SMTP Affects Thousands of Sites
The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options...
View ArticleClik here to view.
Zero-Day Stored XSS in Social Warfare
A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. The plugin is vulnerable to a Stored XSS (Cross-Site Scripting)...
View ArticleClik here to view.
Stored XSS Patched in WordPress 5.1.1
WordPress recently released an update, 5.1.1, which patches a stored XSS vulnerability in the platform’s comment system. Even 10 days after the release of this security patch, around 60% of all...
View ArticleClik here to view.
SQL Injection in Magento Core
Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution. To be...
View ArticleClik here to view.
SQL Injection in Duplicate-Page WordPress Plugin
While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,000 sites. Its...
View ArticleClik here to view.
OS Command Injection in WP-Database-Backup
On May 28th, a critical OS Command Injection vulnerability affecting the WP-Database-Backup plugin was disclosed to the public by the Wordfence team. This is a very nasty bug which made it possible...
View ArticleClik here to view.
Stored XSS in MyBB
The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules. What Are...
View ArticleClik here to view.
Dissecting the WordPress 5.2.3 Update
Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases,...
View ArticleClik here to view.
Zero-Day RCE in vBulletin v5.0.0-v5.5.4
A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday. This vulnerability is extremely severe. It...
View ArticleClik here to view.
Dissecting the WordPress 5.2.3 Update
Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases,...
View ArticleClik here to view.
Zero-Day RCE in vBulletin v5.0.0-v5.5.4
A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday. This vulnerability is extremely severe. It...
View ArticleClik here to view.
Authentication Bypass Vulnerability in InfiniteWP Client
An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to manage multiple websites...
View ArticleClik here to view.
Stored XSS in Elementor
During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor Page Builder plugin, which powers no less than 3 million+ websites...
View ArticleClik here to view.
Reflected XSS in WordPress v5.5.1 and Lower
WordPress released version 5.5.2 yesterday, which fixed a reflected XSS vulnerability we reported earlier this year. The root cause of this issue is a bug in the way WordPress determines a user’s...
View Article
