John Castro

41 posts

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Vulnerability Disclosure

Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

John Castro
September 4, 2020

NextScripts: Social Networks Auto-Poster is a plugin that automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger,…

Read the Post

Vulnerabilities Digest: July 2020

John Castro
August 3, 2020

Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs Asset CleanUp: Page Speed Authenticated XSS 1.4.6.7 80000 Quiz And Survey Master Authenticated Stored XSS 7.0.0…

Read the Post

Vulnerabilities Digest: June 2020

John Castro
July 6, 2020

Highlights for June 2020 Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of…

Read the Post

Vulnerability Disclosure

Cross Site Scripting in YITH WooCommerce Ajax Product Filter

John Castro
June 22, 2020

During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+ users of the YITH WooCommerce…

Read the Post

Vulnerable Plugins: June 2020 Update

John Castro
June 19, 2020

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities. Plugin Vulnerability Patched Version…

Read the Post

Vulnerabilities Digest: May 2020

John Castro
May 29, 2020

Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs WP Product Review Unauthenticated Stored XSS 3.7.6 40000 Form Maker by 10Web Authenticated SQL Injection —…

Read the Post

Unauthenticated Stored Cross Site Scripting in WP Product Review

John Castro
May 14, 2020

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review…

Read the Post

Vulnerabilities Digest: April 2020

John Castro
May 1, 2020

Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs Widget Settings Importer/Exporter Stored XSS Closed 40000 Accordion Stored/Reflected XSS 2.2.9 30000 Support Ticket System By…

Read the Post

Vulnerabilities Digest: March 2020

John Castro
March 27, 2020

Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Cookiebot Reflected Cross-Site Scripting 3.6.1 40000 Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000…

Read the Post

Vulnerabilities Digest: February 2020

John Castro
March 2, 2020

Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Duplicator Arbitrary File Download 1.3.28 1000000 Modula Image Gallery Authenticated Stored XSS 2.2.5 70000 Easy Property…

Read the Post

Vulnerabilities Digest: January 2020

John Castro
January 28, 2020

Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs InfiniteWP Client Login bypass 1.9.4.5 300000 ListingPro Reflected XSS 2.5.4 13000 Travel Booking Stored XSS 2.7.8.6…

Read the Post