Vulnerability found in the All in One SEO Pack WordPress Plugin
The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin. It is a security release patching two privilege escalation vulnerabilities we discovered earlier...
View ArticleDisclosure: Remote Code Execution Vuln in Disqus
We recently found a security vulnerability in the Disqus Comment System plugin for WordPress. It could, under very specific conditions, allow an attacker to perform arbitrary remote code execution...
View ArticleDisclosure: Insecure Nonce Generation in WPtouch
If you use the popular WPtouch plugin (5m+ downloads) on your WordPress website, you should update it immediately. During a routine audit for our WAF, we discovered a very dangerous vulnerability that...
View ArticleClik here to view.
Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin
If you’re a using the Custom Contact Forms WordPress plugin, you need to update it right away. During a routine audit for our WAF, we found a critical vulnerability that allows an attacker to download...
View ArticleSecurity Advisory – Akeeba Backup for Joomla!
This post is available in Spanish (Este post está disponible en español). We have also released a more recent post exploring this vulnerability further: The Details Behind the Akeeba Backup...
View ArticleClik here to view.
Security Advisory – VirtueMart Extension for Joomla!
Advisory for: VirtueMart for Joomla! Security Risk: High Exploitation level: Easy/Remote Vulnerability: Access control bypass / Increase of Privilege Updated Version: 2.6.10c Patched Version: 2.6.8c If...
View ArticleSecurity Advisory – Hikashop Extension for Joomla!
Advisory for: Hikashop for Joomla! Security Risk: High (DREAD score : 7/10) Vulnerability: Object Injection / Remote Code Execution Updated Version: 2.3.2 In a routine audit of our Website Firewall we...
View ArticleClik here to view.
The Details Behind the Akeeba Backup Vulnerability
It’s been a month since our disclosure of a low-severity vulnerability affecting Akeeba Backup version 3.11.4, which allowed an attacker to list and download backups from a target website using the...
View ArticleClik here to view.
Deep Dive into the HikaShop Vulnerability
It’s been two months since our disclosure of an Object Injection vulnerability affecting versions <2.3.3 of the Joomla! Hikashop extension. The vulnerability allowed an attacker to execute malicious...
View ArticleSecurity Advisory – High severity – WP-Statistics WordPress Plugin
Advisory for: WordPress WP-Statistics Plugin Security Risk: High (DREAD score : 7/10) Exploitation level: Easy/Remote Vulnerability: Stored XSS which executes on the administration panel. Patched...
View ArticleSecurity advisory – High severity – InfiniteWP Client WordPress plugin
Advisory for: InfiniteWP Client for WordPress Security Risk: High (DREAD score : 8/10) Exploitation level: Easy/Remote Vulnerability: Privilege escalation and potential Object Injection vulnerability....
View ArticleClik here to view.
Critical vulnerability affecting HD FLV Player
We’ve been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla!, WordPress and custom websites. It was silently patched on Joomla! and WordPress, leaving the custom...
View ArticleClik here to view.
vBSEO’s Vulnerability Leads to Remote Code Execution
We were notified last week that the vBulletin team sent an email to all their clients about a potential security vulnerability in vBSEO. After further investigation, we confirm that this is a very...
View ArticleClik here to view.
Security Advisory – Vulnerabilities in Pagelines/Platform theme for WordPress
Advisory for: Pagelines and Platform Themes Security Risk: Very High Exploitation level: Easy/Remote DREAD Score: 9/10 Vulnerability: Privilege Escalation / Remote Code Execution Patched Version:...
View ArticleClik here to view.
Critical “GHOST” Vulnerability Released
A very critical vulnerability affecting the GNU C Library (glibc) is threatening Linux servers for a remote command execution. This security bug was discovered by Qualys security researchers and will...
View ArticleClik here to view.
Advisory – Dangerous "nonce" leak in UpdraftPlus
Advisory for: UpdraftPlus Security Risk: High Exploitation level: Remote DREAD Score: 7/10 Vulnerability: Privilege Escalation Patched Version: 1.9.51 If you’re a user of the UpdraftPlus plugin for...
View ArticleClik here to view.
Analysis of the Fancybox-For-WordPress Vulnerability
We were alerted last week of a malware outbreak affecting WordPress sites using version 3.0.2 and lower of the fancybox-for-wordpress plugin. As announced, here are some of the details explaining how...
View ArticleClik here to view.
Security Advisory – WP-Slimstat 3.9.5 and lower
Advisory for: WP-Slimstat Security Risk: Very high Exploitation level: Remote DREAD Score: 8/10 Vulnerability: Weak Cryptographic keys leading to SQL injections Patched Version: 3.9.6 WP-Slimstat’s...
View ArticleAdvisory – Dangerous “nonce” leak in UpdraftPlus
Advisory for: UpdraftPlus Security Risk: High Exploitation level: Remote DREAD Score: 7/10 Vulnerability: Privilege Escalation Patched Version: 1.9.51 If you’re a user of the UpdraftPlus plugin for...
View ArticleAnalysis of the Fancybox-For-WordPress Vulnerability
We were alerted last week of a malware outbreak affecting WordPress sites using version 3.0.2 and lower of the fancybox-for-wordpress plugin. As announced, here are some of the details explaining how...
View Article
