The Impacts of a Hacked Website

Today, with the proliferation of open-source technologies like WordPress, Joomla and other Content Management Systems (CMS) people around the world are able to quickly establish a virtual presence with little to no cost. In the process however, a
Read More

Understanding WordPress Plugin Vulnerabilities

The last 7 days have been very busy with a number of vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we'd categorize as noise. How are you supposed to make
Read More

Inverted WordPress Trojan

redirect-up-result

A trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated)
Read More

Security Advisory: MainWP-Child WordPress Plugin

mainwpday0

Security Risk: Critical Exploitation Level: Very Easy/Remote DREAD Score: 9/10 Vulnerability: Password bypass / Privilege Escalation Patched Version:  2.0.9.2 During a routine audit of our Website Firewall (WAF), we found a critical v
Read More

Why A Free Obfuscator Is Not Always Free.

We all love our code but some of us love it so much that we don't want anyone else to read or understand it. When you think about it, that’s understandable – hours and hours of hard dev work, days of testing and weeks (months?, years?) of fixing bugs
Read More

Malware Cleanup to Arbitrary File Upload in Gravity Forms

file-modified

During our regular cleanup process we came across a reinfection case that caught our attention. This particular environment didn't have anything special or fancy, it was an updated WordPress installation and had 3 out-of-date plugins; that's
Read More

Why Websites Get Hacked

I spend a good amount of time engaging with website owners across a broad spectrum of businesses. Interestingly enough, unless I’m talking large enterprise, there is a common question that often comes up: Why would anyone ever hack my w
Read More

Security Advisory – WP-Slimstat 3.9.5 and Lower

The weak 'secret' token

Advisory for: WP-Slimstat Security Risk: Very high Exploitation level: Remote DREAD Score: 8/10 Vulnerability: Weak cryptographic keys leading to SQL injections Patched Version: 3.9.6 WP-Slimstat users should update as soon as possible! Duri
Read More

Vulnerability Disclosures – A Note To Developers

This post is entirely for developers. Feel free to read, but approach it with that in mind. There is no such thing as bug-free code. We all make mistakes and every piece of software will have issues that we did not anticipate. We ourselves find
Read More

Analysis of the Fancybox-For-WordPress Vulnerability

Sucuri - Fancybox-for-WordPress Code

We were alerted last week of a malware outbreak affecting WordPress sites using version 3.0.2 and lower of the fancybox-for-wordpress plugin. As announced, here are some of the details explaining how attackers could use this vulnerability to inject ma
Read More