Marc-Alexandre Montpas

50 posts

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

Marc-Alexandre Montpas
March 21, 2019

The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the…

Read the Post

Arbitrary Directory Deletion in WP-Fastest-Cache

Marc-Alexandre Montpas
March 18, 2019

The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org:…

Read the Post

Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro

Marc-Alexandre Montpas
March 13, 2019

While investigating the SiteGround Optimizer and Caldera Forms Pro plugins we have discovered a critical privilege escalation vulnerability. It was not being abused externally and…

Read the Post

WordPress Update – 4.9.7 Security & Maintenance Release

Marc-Alexandre Montpas
July 5, 2018

The WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues. Included in this release…

Read the Post

Formidable Forms / Shortcodes Ultimate Exploits In The Wild

Marc-Alexandre Montpas
November 24, 2017

On Monday, November 20th, we were notified about a vulnerability that poses a serious security risk when the Shortcodes Ultimate and Formidable Forms plugins are…

Read the Post

SQL Injection in bbPress

Marc-Alexandre Montpas
November 13, 2017

During regular audits of our Sucuri Firewall (WAF), one of our researchers at the time, Slavco Mihajloski, discovered an SQL Injection vulnerability affecting bbPress. If…

Read the Post

SQL Injection Vulnerability in Joomla! 3.7

Marc-Alexandre Montpas
May 17, 2017

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7 – CVE-2017-8917. The vulnerability is easy to exploit and…

Read the Post

WordPress Security

Stored XSS in WordPress Core

Marc-Alexandre Montpas
March 13, 2017

As you might remember, we recently blogged about a critical Content Injection Vulnerability in WordPress which allowed attackers to deface vulnerable websites. While our original disclosure only…

Read the Post

Content Injection Vulnerability in WordPress

Marc-Alexandre Montpas
February 1, 2017

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While…

Read the Post

Joomla Security

Details on the Privilege Escalation Vulnerability in Joomla

Marc-Alexandre Montpas
October 26, 2016

Yesterday, Joomla! 3.6.4 was released, patching a critical privilege escalation and arbitrary account creation vulnerability. As we’ve seen some exploits attempts occurring in the wild,…

Read the Post

SQL Injection Vulnerability in Ninja Forms

Marc-Alexandre Montpas
August 16, 2016

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently…

Read the Post