Marc-Alexandre Montpas - Sucuri Security Researcher

Marc's passion for code and IT security has no limit. You'll generally find him competing in Capture-the-Flag (CTF) competitions or searching for security vulnerabilities in widespread products for the fun of it. He's also a great fan of heavy metal music. Follow him on Twitter at @mars0h.

About Marc-Alexandre Montpas

November 24, 2017Marc-Alexandre Montpas

Formidable Forms / Shortcodes Ultimate Exploits In The Wild

On Monday, November 20th, we were notified about a vulnerability that poses a serious security risk when the Shortcodes Ultimate and Formidable Forms plugins are used together on a single WordPress installation. Over the past couple of weeks, we’ve noticed a large influx in the…

November 13, 2017Marc-Alexandre Montpas

SQL Injection in bbPress

During regular audits of our Sucuri Firewall (WAF), one of our researchers at the time, Slavco Mihajloski, discovered an SQL Injection vulnerability affecting bbPress. If the proper conditions are met,…

May 17, 2017Marc-Alexandre Montpas

SQL Injection Vulnerability in Joomla! 3.7

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7 – CVE-2017-8917. The vulnerability is easy to exploit and doesn’t require a privileged account…

March 13, 2017Marc-Alexandre Montpas

Stored XSS in WordPress Core

As you might remember, we recently blogged about a critical Content Injection Vulnerability in WordPress which allowed attackers to deface vulnerable websites. While our original disclosure only described one vulnerability, we actually reported…

February 1, 2017Marc-Alexandre Montpas

Content Injection Vulnerability in WordPress

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered…

October 26, 2016Marc-Alexandre Montpas

Details on the Privilege Escalation Vulnerability in Joomla

Yesterday, Joomla! 3.6.4 was released, patching a critical privilege escalation and arbitrary account creation vulnerability. As we’ve seen some exploits attempts occurring in the wild, we feel it is a…

August 16, 2016Marc-Alexandre Montpas

SQL Injection Vulnerability in Ninja Forms

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. Vulnerability…

May 27, 2016Marc-Alexandre Montpas

Security Advisory: Stored XSS in Jetpack

During regular research audits for our Sucuri Firewall (Cloud WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites….

May 3, 2016Marc-Alexandre Montpas

Security Advisory: Stored XSS in bbPress

During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites – one…

January 22, 2016Marc-Alexandre Montpas

Security Advisory: Stored XSS in Magento

During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team…

December 15, 2015Marc-Alexandre Montpas

Vulnerability Details: Joomla! Remote Code Execution

The Joomla! team released a new version of Joomla! CMS yesterday to patch a serious and easy to exploit remote code execution vulnerability that affected pretty much all versions of…