Marc-Alexandre Montpas

50 posts

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reflected XSS in WordPress v5.5.1 and Lower

Marc-Alexandre Montpas
October 30, 2020

WordPress released version 5.5.2 yesterday, which fixed a reflected XSS vulnerability we reported earlier this year. The root cause of this issue is a bug…

Stored XSS in Elementor

Marc-Alexandre Montpas
January 29, 2020

During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor Page Builder plugin, which powers…

Authentication Bypass Vulnerability in InfiniteWP Client <= 1.9.4.4

Marc-Alexandre Montpas
January 16, 2020

An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to…

Zero-Day RCE in vBulletin v5.0.0-v5.5.4

Marc-Alexandre Montpas
September 25, 2019

A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday. This…

Dissecting the WordPress 5.2.3 Update

Marc-Alexandre Montpas
September 13, 2019

Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to…

Stored XSS in MyBB <= 1.8.20

Marc-Alexandre Montpas
June 11, 2019

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in…

OS Command Injection in WP-Database-Backup

Marc-Alexandre Montpas
June 4, 2019

On May 28th, a critical OS Command Injection vulnerability affecting the WP-Database-Backup plugin was disclosed to the public by the Wordfence team. This is a…

SQL Injection in Duplicate-Page WordPress Plugin

Marc-Alexandre Montpas
April 5, 2019

While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,000…

Vulnerability Disclosure

SQL Injection in Magento Core

Marc-Alexandre Montpas
March 28, 2019

Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution. To…

Stored XSS Patched in WordPress 5.1.1

Marc-Alexandre Montpas
March 26, 2019

WordPress recently released an update, 5.1.1, which patches a stored XSS vulnerability in the platform’s comment system. Even 10 days after the release of this…

Zero-Day Stored XSS in Social Warfare

Marc-Alexandre Montpas
March 21, 2019

A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. The plugin is vulnerable to…