WordPress Security News & Updates

array_diff_ukey Usage in Malware Obfuscation

Luke Leal
May 14, 2019

We discovered a PHP backdoor on a WordPress installation that contained some interesting obfuscation methods to keep it hidden from prying eyes: $zz1 = chr(95).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110);…

Read the Post

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

Antony Garand
May 13, 2019

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and…

Read the Post

Persistent XSS via CSRF in WP Meta and Date Remover

John Castro
May 7, 2019

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability…

Read the Post

Insufficient Privilege Validation in WooCommerce Checkout Manager

John Castro
April 29, 2019

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting…

Read the Post

WordPress Security

Plugins Added to Malicious Campaign

John Castro
April 25, 2019

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time.…

Read the Post

Free Premium themes? There’s always a catch

Pedro Peixoto
April 25, 2019

OK, so we’ve all been there. We want something Premium, such as a paid version of an app or piece of software, but it would…

Read the Post

WP Plugin Hider

Luke Leal
April 23, 2019

One of our analysts recently found an interesting injection that has been found on WordPress installations. Installed by hacker, it is used to hide a…

Read the Post

Defunct Malware Can Cause Problems Too

Harshad Mane
April 18, 2019

Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress…

Read the Post

From .tk Redirects to PushKa Browser Notification Scam

Denis Sinegubko
April 15, 2019

In the past couple of years, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into WordPress sites. This campaign leverages old vulnerabilities…

Read the Post

SQL Injection in Advance Contact Form 7 DB

John Castro
April 11, 2019

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form…

Read the Post

Attacks on Closed WordPress Plugins

John Castro
April 10, 2019

The WordPress plugin repository team may “close” plugins and restrict downloads when they become aware of a security issue that the developer cannot fix quickly.…

Read the Post