Website Security News
Read the latest vulnerability disclosures affecting server applications and content management systems like WordPress, Joomla, Drupal, and Magento. Learn about major vulnerabilities in popular plugins and extensions, and how to mitigate zero-day vulnerabilities so you can prevent website hacks.
You can learn more about how we score vulnerabilities in WordPress and other platforms using the DREAD score.
The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules. What Are the Risks? Unpatched websites could allow bad actors to send booby-trapped posts…
On May 28th, a critical OS Command Injection vulnerability affecting the WP-Database-Backup plugin was disclosed to the public by the Wordfence team. This is a very nasty bug which made…
The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser…
During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin. Current State…
Read More about Persistent Cross-site Scripting in WP Live Chat Support Plugin
Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. During a recent audit of the plugin, we found…
Read More about WordPress Plugin Give – Stored XSS for Donors
The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which…
Read More about Multiple Vulnerabilities in the WordPress Ultimate Member Plugin
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the…
Read More about Persistent XSS via CSRF in WP Meta and Date Remover
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you…
Read More about Insufficient Privilege Validation in WooCommerce Checkout Manager
Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia. If you keep track of your site’s…
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form 7 DB WordPress plugin. Current…
While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,000 sites. Its urgency is defined…
Read More about SQL Injection in Duplicate-Page WordPress Plugin
