ThinkPHP 5.x Remote Code Execution
John Castro Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia. If you…
Browsing Category
Vulnerability Disclosure
254 posts
SQL Injection in Advance Contact Form 7 DB
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form…
ThinkPHP 5.x – Remote Code Execution Actively Exploited In The Wild
Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you…
SQL Injection in Duplicate-Page WordPress Plugin
Marc-Alexandre Montpas While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,000…
Social Warfare Vulnerability Probes
Denis Sinegubko After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options. The vulnerability has…
SQL Injection in Magento Core
Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution. To…
Stored XSS Patched in WordPress 5.1.1
WordPress recently released an update, 5.1.1, which patches a stored XSS vulnerability in the platform’s comment system. Even 10 days after the release of this…
Multi-Vector Attack in Server Logs
We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this…
Zero-Day Stored XSS in Social Warfare
A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. The plugin is vulnerable to…
0day Vulnerability in Easy WP SMTP Affects Thousands of Sites
The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the…
Arbitrary Directory Deletion in WP-Fastest-Cache
The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org:…