Denis Sinegubko (a security researcher from Sucuri) has discovered a new wave of the known malware wp-vcd that injects malicious WordPress admin users into vulnerable or hacked websites. The researcher said that the wp-vcd malware is preinstalled inside pirated WordPress premium themes published for download for free on some websites, he noticed that the malicious […]
WordPress is one of the most used platforms in the world with more than 75 million websites using its content management system (CMS), and that is good enough reason for hackers to target WordPress-based websites. Old malware new capabilities Recently, researchers at website security platform Sucuri discovered that 5,500 WordPress websites are infected with malware that was initially […]
A few weeks ago, we wrote about a massive WordPress infection that injected an obfuscated script pretending to be jQuery and Google Analytics. In reality, this script loaded a CoinHive cryptocurrency miner from a third-party server. We also mentioned a post written back in April that described the cloudflare.solutionsmalware, which came along with the cryptominers. At this moment, PublcWWW reports there are 5,482 sites […]
Tool to identify if a domain is a CMS such as WordPress, Moodle, Joomla, Drupal or Prestashop. Use python cmssc4n.py -h _____ __ __ _____ _ _ / ____| / |/ ____| | || | | | | / | (___ ___ ___| || |_ _ __ | | | |/| |___ / __|/ __|__ […]
This tool is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. For more info click here. Usage $ git clone https://github.com/m4ll0k/wpsploit.git $ cd wpsploit $ python wpsploit.py plugin_file.php or $ wget https://raw.githubusercontent.com/m4ll0k/wp_sploit/master/wpsploit.py $ python wpsploit.py plugin_file.php Example $ wget https://plugins.svn.wordpress.org/analytics-for-woocommerce-by-customerio/trunk/admin/class-wccustomerio-admin.php $ python wpsploit.py class-wccustomerio-admin.php Download […]
A hacked website (WordPress .. etc.) can cause critical damage to your business revenue and reputation. Black hackers can steal user data, passwords, emails, install a malicious application (such as cryptocurrency miners), and can even spread malware to your users. Similar to how it’s the store owners responsibility to secure their physical store building, as […]
wpbf is a Python-based bruteforce tool for remotely testing password strength, username enumeration and plugin detection on a WordPress site. How It Works The script will try to login to the WordPress dashboard through the login form using a mixture of enumerated usernames, a wordlist and relevant keywords from the blog’s content. If a single […]
WordPress developers fixed a serious SQL injection vulnerability on Tuesday with the release of version 4.8.3.. Apply it as soon as possible. WordPress developers fixed a serious SQL injection vulnerability that was reported by the researcher Anthony Ferrara, VP of engineering at Lingo Live. The issue was addressed on Tuesday with the release of version 4.8.3. The vulnerability can be […]
WordPress is one of the most popular blogging applications in the world and its easy to install. This can make WordPress a prime target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies, rouge VPN’s, C&C servers and web shells. What are Google Dorks ? Google hacking, also […]
21,000 Websites Affected after Exploiting of Three WordPress Plugins Zero-day – Solution: Update Those Plugins ASAP. Zero-day vulnerabilities are blessing for cybercriminals the most and this time around hackers have managed to exploit not one or two but three of them. Security firm Wordfence reported that the three exploited vulnerabilities have affected WordPress plugins but […]
Attacks aimed at delivering cryptocurrency mining tools on enterprise networks have gone up as much as six times, according to telemetry data collected by IBM’s X-Force team between January and August 2017. A recent report by fellow cyber-security firm Kaspersky found that cryptocurrency mining malware also infected over 1.65 million machines running Kaspersky solutions in the first […]
For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet. The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2). The WordPress.org team has intervened and removed the plugin […]
Website developers can often leave unfinished installations of WordPress on their servers. This can make it very easy for attackers to gain control over new installations of WordPress. Attackers can not only take over the WordPress website but also the entire hosting cluster that is associated with it. This is known as WPSetup Attack. The […]
An extension of the WooCommerce WordPress plugin, used by 28 percent of all online stores, has been patched against a reflected cross-site scripting vulnerability. The vulnerability was found in the Product Vendors plugin, which allows an existing ecommerce site to support multiple vendors, products and payment options. Versions 2.0.35 and earlier are affected by this […]
##################################### Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes) Exploit Author: Manich Koomsusi Date: 03-07-2017 Software: WatuPRO Version: 5.5.1 Website: http://calendarscripts.info/watupro/ Tested on: WordPress 4.7.5 Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0 CVE: CVE-2017-9834 ##################################### Description ================================== SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump […]
SQL Injection Vulnerability Found in WordPress plugin, WP Statistics is one of the most popular WordPress plugins installed on 300,000 websites. The WordPress plugin makes it possible for administrators to monitor the statistics of the WordPress site without relying on external services and uses were attributed the data whenever possible to respect the privacy of […]
Security experts at Sucuri have discovered a SQL Injection vulnerability in WP Statistics, one of the most popular WordPress plugins. Security experts at Sucuri have discovered a SQL Injection vulnerability in WP Statistics, one of the most popular WordPress plugins, that is currently installed on over 300,000 websites. The SQL Injection vulnerability in WP Statistics could be exploited by attackers, with […]
Security researchers from Sucuri have found hacked WordPress sites that were altered to secretly siphon off cookies for user and admin accounts to a rogue domain imitating the WordPress API. The attacker was sending stolen cookies to code.wordprssapi[.]com, a domain that was imitating a non-existent WordPress service. Sucuri’s Cesar Anjos says he found this malware […]
Hi welcome back today I will show you how to create WordPress phishing pages. Phishing is the practice of sending emails or fake pages in order to trick targets into unknowingly giving personal information such as passwords and credit and debit card numbers. Phishing attacks are a Social Engineering method that relies solely on human […]
Researchers have identified a strain of cookie stealing malware injected into a legitimate JavaScript file, that masquerades as a WordPress core domain. Cesar Anjos, a security analyst at Sucuri, a firm that specializes in WordPress security, came across the malware during an incident response investigation and described it in a blog post Tuesday. Anjos says […]
Polish security expert Dawid Golunski has discovered a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link, under certain circumstances. The researcher published his findings yesterday, after reporting the flaw to the WordPress security team last July. After more than ten months and no progress, Golunski […]