Website Security News
Read the latest vulnerability disclosures affecting server applications and content management systems like WordPress, Joomla, Drupal, and Magento. Learn about major vulnerabilities in popular plugins and extensions, and how to mitigate zero-day vulnerabilities so you can prevent website hacks.
You can learn more about how we score vulnerabilities in WordPress and other platforms using the DREAD score.
Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar: POST: /index.php?s=captcha HTTP/1.1 Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig In December 2018,…
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form 7 DB WordPress plugin. Current…
While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,000 sites. Its urgency is defined…
Read More about SQL Injection in Duplicate-Page WordPress Plugin
Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution. To be exploited, the majority of…
WordPress recently released an update, 5.1.1, which patches a stored XSS vulnerability in the platform’s comment system. Even 10 days after the release of this security patch, around 60% of…
A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. The plugin is vulnerable to a Stored XSS (Cross-Site Scripting)…
The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options…
Read More about 0day Vulnerability in Easy WP SMTP Affects Thousands of Sites
The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org: “A successful attack allows an…
Read More about Arbitrary Directory Deletion in WP-Fastest-Cache
While investigating the SiteGround Optimizer and Caldera Forms Pro plugins we have discovered a critical privilege escalation vulnerability. It was not being abused externally and impacts over 500,000 sites. It’s…
Read More about Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro
We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file. These cases are all linked to the same vulnerable software:…
The WordPress team has just released a critical security and maintenance update to resolve a number of bugs and security issues. Included in this release is a patch that protects…
Read More about WordPress Update – 4.9.7 Security & Maintenance Release
