Collaborate Disseminate
The official PHP git repository, http://git.php.net/, was compromised this Sunday, March 28.
An attacker was able to modify the PHP source code twice and inject a backdoor into it. Thankfully, both attempts were quickly detected and removed by the PHP… Continue reading PHP Repository Exploited by Hackers
The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the action… Continue reading Reflected XSS in WordPress Plugin Admin Pages
Yesterday, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website.
Users of our WAF were never vulnerable to this exploit. The Sucuri firewall blocks malicious… Continue reading Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites
During a recent plugin audit, we noticed a weird pattern among many plugins responsible for performing a specific task: Duplicating a page or a post.
With a bit of research, we came to the following conclusion: Many of these plugins came from the same… Continue reading Duplicated Vulnerabilities in WordPress Plugins
RuneScape is an extremely popular massive multiplayer online game. With over 200 million generated accounts, its claim to fame is that it’s one of the largest free MMORPG’s ever created.
At the current time of writing, 1 million in-game go… Continue reading Creative Phishing for Digital Gold on RuneScape
Phishing is a malicious attempt to obtain personally identifiable information of a victim. The first thing to keep in mind about phishing is the goal of the attackers.
In the first post of this series, we have explained how to recognize a phishing cam… Continue reading Why Hackers Create Phishing Campaigns
Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as “phishing” on our blog — the first one being over nine years old now — we’ve seen our fair share of phishing attemp… Continue reading How to Recognize a Phishing Campaign
The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7.
This vulnerability can only be exploited under certain configurations—the defau… Continue reading WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations
The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to opt… Continue reading Slimstat: Stored XSS from Visitors
Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.
During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrar… Continue reading WordPress Plugin Give – Stored XSS for Donors