Browsing tag
Security researchers from Sucuri have found hacked WordPress sites that were altered to secretly siphon off cookies for user and admin accounts to a rogue domain imitating the WordPress API. The attacker was sending stolen cookies to code.wordprssapi[.]com, a domain that was imitating a non-existent WordPress service. Sucuri’s Cesar Anjos says he found this malware […]
Polish security expert Dawid Golunski has discovered a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link, under certain circumstances. The researcher published his findings yesterday, after reporting the flaw to the WordPress security team last July. After more than ten months and no progress, Golunski […]
[jpshare] Wordpress vulnerable to Cross-Site Request Forgery in Connection Information – Not yet fixed with the last Update. WordPress is a free online Open source content Managed system focused on PHP and MySQL. It is one the powerful and most used blogging tool. This CSRF issue has been found in Summer of Pwnage hack event which held between July […]
This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts. The torrent leecher Looking to download a movie or software without paying for it? There might be associated risks. It just might […]
Another day, another important security update for WordPress. Oh boy. If you administer your own self-hosted WordPress website then your must update the software as soon as possible, following the disclosure of six security holes that could be exploited by malicious attackers. Version 4.7.3 of the immensely popular web-publishing software has been released, alongside a […]
A famous WordPress gallery plugin which has more than one million installations has these days patched a serious vulnerability which permits the exploitation of the website’s database. Plugins are the spine of the WordPress and they are what makes it so elegant, but it could also be a pain seeing that maximum of the plugins […]
The vulnerability can lead to attackers grabbing data from website database or user sensitive information. A new SQL Injection vulnerability was discovered in the NextGen Gallery plugin for WordPress, allowing users to grab data from the victim’s website database, which may very well include sensitive user information. The discovery was made by researchers from Sucuri […]
Closing week, we told about a important zero-day flaw in WordPress that become silently patched by way of the company earlier than hackers have had their arms at the nasty bug to make exploits of millions of WordPress websites. To make sure the safety of thousands and thousands of web sites and its customers, WordPress not on […]
Attackers didn’t wait long to capitalize on laggards slow in updating their WordPress sites to patch a critical content injection vulnerability addressed in WordPress 4.7.2. The update was made public on Jan. 26 with WordPress disclosing six days later that the update also included a silent fix for an unauthenticated privilege escalation flaw in a […]
Ultimate week, WordPress patched 3 security flaws, but simply the day gone by the employer disclosed approximately an uncongenial then-mystery 0-day vulnerability that permit far off unauthorized hackers modify the content of any put up or web page inside a WordPress website online. The nasty computer virus resides in WordPress relaxation API that might lead […]
The WordPress security team revealed that they’ve secretly fixed a zero-day vulnerability in the WordPress CMS REST API.The vulnerability in this case would allow for content injection as well as privilege escalation . This vulnerability allows an unauthenticated user to “modify the content of any post or page within a WordPress site” Sucuri, the company […]
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post […]
Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS. The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version. Aaron Campbell, a WordPress core contributor, announced the update – a security release – on WordPress’ […]
Introduction The Google Forms WordPress Plugin fetches a published Google Form using a WordPress custom post or shortcode, removes the Google wrapper HTML and then renders it as an HTML form embedded in your blog post or page. A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used […]
According to the release notes the latest version of WordPress 4.7.1 addresses eight security vulnerabilities and other 62 bugs. Wednesday the latest version of WordPress 4.7.1 was released by the WordPress Team, it is classified as a security release for all previous versions. According to the release notes, the new version addresses eight security flaws […]
Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September). Among all hacked websites, 74% ran WordPress, which isn’t surprising if we take into account the CMS’ […]
In this tutorial we are going to show you how to use free SSL on your wordpress site using Cloudflare’s Free Flexible SSL Note: Make sure you take a backup of your website first in case something goes wrong! How to: Step 1: Create an account at Cloudflare. Step 2: Add your website and select […]
Short Bytes: This is a simple and real account of how I prevented 508 resource limit error on my personal blog. How it all began and how I ended up learning small yet very significant things otherwise I never had learned them. For the past few months, I had been seeing a lot of attacks on […]
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a “new version” of that plugin. In […]
We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back in March 2014. The problem being that any WordPress website with the pingback feature enabled (its default setting) could be used to attack the availability of other websites. The attacks would inundate the web server with Layer […]
Attackers are adding unauthorized code at the top of infected websites, over 3,500 8sites already infected. Alarms are ringing in Symantec’s offices, as its research team has discovered a massive Web injection campaign that’s currently infecting Web servers around the Internet. According to telemetry data received from Symantec security products, the company’s staff has identified […]