WordPress Plugins and Themes – Page 5

WordPress Plugin Give – Stored XSS for Donors

Posted on May 15, 2019 by Antony Garand

Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs.
During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrar… Continue reading WordPress Plugin Give – Stored XSS for Donors→

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

Posted on May 13, 2019 by Antony Garand

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
All… Continue reading Multiple Vulnerabilities in the WordPress Ultimate Member Plugin→

Persistent XSS via CSRF in WP Meta and Date Remover

Posted on May 7, 2019 by John Castro

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress.
Di… Continue reading Persistent XSS via CSRF in WP Meta and Date Remover→

Insufficient Privilege Validation in WooCommerce Checkout Manager

Posted on April 29, 2019 by John Castro

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version… Continue reading Insufficient Privilege Validation in WooCommerce Checkout Manager→

Plugins Added to Malicious Campaign

Posted on April 25, 2019 by John Castro

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.
Plugins Added to the Attack

Down… Continue reading Plugins Added to Malicious Campaign→

SQL Injection in Advance Contact Form 7 DB

Posted on April 11, 2019 by John Castro

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL injection vulnerability affecting 40,000+ users of the Advanced Contact Form 7 DB WordPress plugin.
Current State of the Vulnerability
This plugin saves all Contact F… Continue reading SQL Injection in Advance Contact Form 7 DB→

Attacks on Closed WordPress Plugins

Posted on April 10, 2019 by John Castro

The WordPress plugin repository team may “close” plugins and restrict downloads when they become aware of a security issue that the developer cannot fix quickly.
However, bad actors are actively monitoring the WordPress plugin repository,&… Continue reading Attacks on Closed WordPress Plugins→

SQL Injection in Duplicate-Page WordPress Plugin

Posted on April 5, 2019 by Marc-Alexandre Montpas

While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability.
It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at dama… Continue reading SQL Injection in Duplicate-Page WordPress Plugin→