Collaborate Disseminate
NextScripts: Social Networks Auto-Poster is a plugin that automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc.
… Continue reading Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster
Relevant Plugins and Vulnerabilities:
PluginVulnerabilityPatched VersionInstalls
Asset CleanUp: Page Speed
Authenticated XSS
1.4.6.7
80000
Quiz And Survey Master
Authenticated Stored XSS
7.0.0
30000
Comments – wpDiscuz 7.0.0 –
Arbitrary Fi… Continue reading Vulnerabilities Digest: July 2020
Highlights for June 2020
Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
Massive … Continue reading Vulnerabilities Digest: June 2020
During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+ users of the YITH WooCommerce Ajax Product Filter plugin.
Current State of the Vulnerability
Thi… Continue reading Cross Site Scripting in YITH WooCommerce Ajax Product Filter
In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers … Continue reading Misuse of WordPress update_option() function Leads to Website Infections
Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and slide-in messengers.
Versions 1.10.28.2 and lower are affected by a persistent … Continue reading Icegram Persistent Cross-Site Scripting
During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin.
Current State of the Vulnerability
Thoug… Continue reading Persistent Cross-site Scripting in WP Live Chat Support Plugin
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.
Di… Continue reading Persistent XSS via CSRF in WP Meta and Date Remover
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version… Continue reading Insufficient Privilege Validation in WooCommerce Checkout Manager
We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.
Plugins Added to the Attack