Thousands of Sites with Popup Builder Compromised by Balada Injector
Denis Sinegubko On December 11, 2023 WPScan published Marc Montpas’ research on the stored XSS vulnerability in the popular Popup Builder plugin (200,000+ active installation) that was…
What is the Principle of Least Privilege?
Rianna MacLeod If you own a website and collaborate with other people, the Principle of Least Privilege (PoLP) is a crucial security concept which has applications and…
How to Stop a DDoS Attack in 5 Steps
Victor Santoyo As a website administrator, keeping your site online during large traffic spikes is what you strive for. But how can you be sure traffic spikes…
WordPress Vulnerability & Patch Roundup December 2023
Sucuri Malware Research Team Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes…
New Guide: Broken Access Control
The complexity of modern websites exposes countless potential vulnerabilities to lurking attackers. One of the most underestimated threats? Broken Access Control (BAC). The risk lies…
MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
Ben Martin One of our analysts recently found an interesting malicious plugin injected into a WordPress / WooCommerce ecommerce website which both creates and conceals a bogus…
What is a Content Security Policy (CSP)
Gerson Ruiz It’s always a good idea to be aware of the security issues that might affect your site. For example, cross-site scripting (XSS) attacks consist of…
Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign
On December 1, 2023, several security researchers reported about a new phishing campaign targeting WordPress administrators. WordPress sites owners had started receiving emails from WordPress.com…
Critical RCE Vulnerability Patched in Backup Migration Plugin
On December 6th, 2023, the WordPress plugin Backup Migration received a critical security patch for a remote code execution vulnerability. Details were released five days…
WPScan Intro: How to Scan for WordPress Vulnerabilities
In this post, we will look at how to use WPScan as a WordPress vulnerability scanner. This security tool provides you with a better understanding…
40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager
Hackers like Google Tag Manager: millions of sites use it, and they can inject custom scripts and HTML code via a script from the highly…