An Overview of Basic WordPress Hardening

We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception.
While there are a plethora of different ways that site owners can lock down their… Continue reading An Overview of Basic WordPress Hardening

SEO Spam Links in Nulled Plugins

It’s not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting posts on social media, and ranking on search engines — all this costs a lot of money. At the end of th… Continue reading SEO Spam Links in Nulled Plugins

The Dangers of Using Abandoned Plugins & Themes

It’s not very often that we see abandoned components being used on a website — but when we do, it’s most often because the website was exhibiting malware-like behavior and we were called to investigate and clean up the site.
Old and abandoned plugins … Continue reading The Dangers of Using Abandoned Plugins & Themes

Hackers Love Expired Domains

Sometimes, website owners no longer want to own a domain name and they allow it to expire without attempting to renew it.
This happens all the time and is totally normal, but it’s important to remember that attackers regularly monitor domain expiratio… Continue reading Hackers Love Expired Domains

Sucuri Sit-Down Episode 4: XSS & WP Plugin Vulnerabilities with Antony Garand

October is National Cyber Security Awareness Month, and we’re back with analyst Antony Garand to take a deeper look into cross site scripting (XSS) attacks and WordPress plugin vulnerabilities. Plus, host Justin Channell will catch you up on the lates… Continue reading Sucuri Sit-Down Episode 4: XSS & WP Plugin Vulnerabilities with Antony Garand

WordPress Malware Disables Security Plugins to Avoid Detection

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it?
I’ve previously written about malware that reverses security hardening measures enacted either … Continue reading WordPress Malware Disables Security Plugins to Avoid Detection

Reflected XSS in WordPress Plugin Admin Pages

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the action… Continue reading Reflected XSS in WordPress Plugin Admin Pages

Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

NextScripts: Social Networks Auto-Poster is a plugin that  automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc.
Continue reading Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites

Yesterday, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website.
Users of our WAF were never vulnerable to this exploit. The Sucuri firewall blocks malicious… Continue reading Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites

Vulnerabilities Digest: July 2020

Relevant Plugins and Vulnerabilities:
PluginVulnerabilityPatched VersionInstalls
Asset CleanUp: Page Speed
Authenticated XSS
1.4.6.7
80000
Quiz And Survey Master
Authenticated Stored XSS
7.0.0
30000
Comments – wpDiscuz 7.0.0 –
Arbitrary Fi… Continue reading Vulnerabilities Digest: July 2020