WordPress Plugin Give – Stored XSS for Donors
Antony Garand Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. During a recent audit…
Browsing Category
WordPress Security
674 posts
array_diff_ukey Usage in Malware Obfuscation
Luke Leal We discovered a PHP backdoor on a WordPress installation that contained some interesting obfuscation methods to keep it hidden from prying eyes: $zz1 = chr(95).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110);…
Multiple Vulnerabilities in the WordPress Ultimate Member Plugin
The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and…
Persistent XSS via CSRF in WP Meta and Date Remover
John Castro During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability…
Insufficient Privilege Validation in WooCommerce Checkout Manager
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting…
Plugins Added to Malicious Campaign
We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time.…
Free Premium themes? There’s always a catch
Pedro Peixoto OK, so we’ve all been there. We want something Premium, such as a paid version of an app or piece of software, but it would…
WP Plugin Hider
One of our analysts recently found an interesting injection that has been found on WordPress installations. Installed by hacker, it is used to hide a…
Defunct Malware Can Cause Problems Too
Harshad Mane Recently our incident response analyst Harshad Mane worked on a site that redirected users to a third-party malicious site whenever they logged into the WordPress…
From .tk Redirects to PushKa Browser Notification Scam
Denis Sinegubko In the past couple of years, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into WordPress sites. This campaign leverages old vulnerabilities…
SQL Injection in Advance Contact Form 7 DB
As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form…