Antony Garand

About Antony Garand

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

September 8, 2020Antony Garand

Reflected XSS in WordPress Plugin Admin Pages

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause….

September 2, 2020Antony Garand

Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites

Yesterday, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website. Users of our WAF were never vulnerable…

April 24, 2020Antony Garand

Duplicated Vulnerabilities in WordPress Plugins

During a recent plugin audit, we noticed a weird pattern among many plugins responsible for performing a specific task: Duplicating a page or a post. With a bit of research,…

March 23, 2020Antony Garand

Reflected XSS in Cookiebot Administrative Page

A reflected XSS vulnerability has recently been found in the Cookiebot plugin plugin, impacting a user base of over 40k installs. Versions prior to 3.6.1 are susceptible to this attack,…

March 17, 2020Antony Garand

Reflected XSS in Advanced Ads Admin Dashboard

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard….

February 6, 2020Antony Garand

Creative Phishing for Digital Gold on RuneScape

RuneScape is an extremely popular massive multiplayer online game. With over 200 million generated accounts, its claim to fame is that it’s one of the largest free MMORPG’s ever created….

December 9, 2019Antony Garand

Why Hackers Create Phishing Campaigns

Phishing is a malicious attempt to obtain personally identifiable information of a victim. The first thing to keep in mind about phishing is the goal of the attackers. In the…

November 20, 2019Antony Garand

How to Recognize a Phishing Campaign

Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as “phishing” on our blog — the first one being over nine years…

July 3, 2019Antony Garand

WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7. This vulnerability can only be…

May 21, 2019Antony Garand

Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser…

May 15, 2019Antony Garand

WordPress Plugin Give – Stored XSS for Donors

Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. During a recent audit of the plugin, we found…