Website Security News

May 23, 2019Eugene Wozniak

.htaccess Injector on Joomla and WordPress Websites

During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. Taking a Look at the .htaccess Injector…

May 21, 2019Antony Garand

Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser…

May 20, 2019Bruno Zanelato

W97M/Downloader Malware Dropper Served from Compromised Websites

W97M/Downloader is part of a large banking malware operation that peaked in March 2016. Bad actors have been distributing this campaign for well over a year, which serves as a…

May 17, 2019Josh Hammer

Who is Responsible for the Security of Your Website?

On a daily basis at Sucuri, we hear things like: “My host takes care of my website security.” “I have never been hacked, so why should I care?” Or here’s…

May 15, 2019John Castro

Persistent Cross-site Scripting in WP Live Chat Support Plugin

During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin. Current State…

May 15, 2019Antony Garand

WordPress Plugin Give – Stored XSS for Donors

Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. During a recent audit of the plugin, we found…

May 13, 2019Antony Garand

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which…

May 11, 2019Chase Watts

New Guide on the Sucuri Referral Program

Referral programs and affiliate marketing opportunities can be found on many web-based company sites, however, often they’re overlooked. Commonly people consider these programs as something that they, “should leave to the…

May 10, 2019Alycia Mitchell

Free Website Security Consultation for GoDaddy Pros

Sucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level…

May 7, 2019John Castro

Persistent XSS via CSRF in WP Meta and Date Remover

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the…

May 6, 2019Denis Sinegubko

Replica Spam on Poorly Maintained ASP Site

Although the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages. The other day we cleaned an ASP site…