WebARX — A Defensive Core For Your Website

Estonian based web security startup WebARX, the company who is also behind open-source plugin vulnerability scanner WPBullet and soon-to-be-released bug bounty platform plugbounty.com , has a big vision for a safer web. It built a defensive core for websites which is embedded deep inside the...

This Week in Security News: New Zero-Day Vulnerability Findings and Mobile Phishing Scams

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how music festival goers need to be on guard for phishing attacks when trying to find a lost iPhone. Also, read how Trend Micro...

CVE-2017-18558

The bws-testimonials plugin before 0.1.9 for WordPress has multiple XSS issues...

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company—called "Plugin Vulnerabilities"—that recently gone...

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popul...

A week in security (March 25 – 31)

Last week, we looked at plugin vulnerabilities, location tracking app problems, and talked about plain text password woes. We also looked at federal data privacy regulation and took a deep dive into BatMobi Adware. Other cybersecurity news Poisoned software update headache for ASUS Source: The...

Cyber Security Week in Review (March 28)

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world. Top headlines this week ASUS had to release an emergency fix for a malware that may have accidentally deployed to their machines. Attackers may have...

Plugin vulnerabilities exploited in traffic monetization schemes

In their Website Hack Trend Report, web security company Sucuri noted that WordPress infections rose to 90 percent in 2018. One aspect of Content Management System CMS infections that is sometimes overlooked is that attackers not only go after the CMSes themselves—WordPress, Drupal, etc.—but also...

[SECURITY] [DLA 1716-1] ikiwiki security update

Package : ikiwiki Version : 3.20141016.4+deb8u1 CVE ID : CVE-2019-9187 The ikiwiki maintainers discovered that the aggregate plugin did not use LWPx::ParanoidAgent. On sites where the aggregate plugin is enabled, authorized wiki editors could tell ikiwiki to fetch potentially undesired URIs even ...

Multiple vulnerabilities in Jenkins Global Build Stats plugin (CNVD-2018-15256)

Jenkins is the open source automation server.Jenkins provides numerous plug-ins that support building, deploying, and automating projects.Global Build is a plug-in that allows two different geographically located Jenkins to automatically trigger each other to work. The Jenkins Global Build Stats...

MapsMarker.com e.U.: [Informational] Possible SQL Injection in inc/ajax-actions-frontend.php

At first, I thought, that my finding is a valid sql injection but I was wrong because of WordPress currently adding magic slashes to COOKIE/POST/GET - this is a very special behaviour which may be remove in the future. There are tons of requests to remove this "old" technique. Nevertheless I...

WordPress Splashing Images 2.1 Cross Site Scripting / PHP Object Injection

Product: WordPress Splashing Images Plugin - https://wordpress.org/plugins/wp-splashing-images/ Vendor: Studio Espresso Tested version: 2.1 CVE ID: CVE-2018-6194 :: CVE description :: A cross-site scripting XSS vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the...

WordPress Plugin Vulnerabilities 2017 VS. Static Analysis

WordPress is used by 29.0% of all the websites1. Due to its wide adoption, specifically the security of WordPress plugins moved into the focus of cyber criminals. Often, the plugins provided by third parties do not share the same level of security as the WordPress core itself. Security...

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution

WP Support Plus Responsive Ticket System Choose a file ending with .phtml: After doing this, an uploaded file can be accessed at, say: http://example.com/wp-content/uploads/wpsp/1510248571filename.phtml...

WordPress Newsletter 4.6.0 Cross Site Request Forgery / Cross Site Scripting

Exploit for php platform in category web applications Wordpress Plugin: Newsletter 4.6.0 https://wordpress.org/plugins/newsletter/ is vulnerable to CSRF and XSS. The issue is supposed to be fixed in version 4.6.1 . See https://wordpress.org/plugins/newsletter/changelog/ for more details. 1. Store...

WordPress Patches WP Mobile Detector Plugin Zero Day

A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability. WP Mobile Detector was pulled from the WordPress Plugin Directory once the attacks went public. It was restored last night and users are urged to updat...

JVN#13288761: baserCMS plugin "Recruit Plugin" multiple vulnerabilities

baserCMS plugin "Recruit Plugin" contains multiple vulnerabilities: Cross-site scripting CWE-79 - CVE-2016-1169 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N| Base Score: 6.1 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score: 4.0 Cross-site request forgery...

WordPress My Calendar Plugin 2.4.10 - Multiple Vulnerabilities

My Calendar plugin is prone to multiple vulnerabilities, such as CSRF and XSS. Solution Update the plugin...

WordPress Patches Critical XSS Vulnerability in All Builds

WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting XSS vulnerability that could ultimately lead to site compromise. According to Gary Pendergast, an engineer at Automattic, WordPress’ parent company, the XSS vulnerability...

CVE-2015-1580

Multiple cross-site request forgery CSRF vulnerabilities in the Redirection Page plugin 1.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 change plugin settings or conduct cross-site scripting XSS attacks via the 2 source or 3 redir...