WordPress released version 5.5.2 yesterday, which fixed a reflected XSS vulnerability we reported earlier this year. The root cause of this issue is a bug in the way WordPress determines a use...
https://blog.sucuri.net/2020/10/reflected-xss-in-wordpress-v5-5-1-and-lower.html
During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular ELEMENTOR PAGE BUILDER plugin, which powers no less than 3 MILLION+ WEBS...
https://blog.sucuri.net/2020/01/stored-xss-in-elementor.html
An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to manage multiple w...
https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html
A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday. This vulnerability is extremely s...
https://blog.sucuri.net/2019/09/zero-day-rce-in-vbulletin-v5-0-0-v5-5-4.html
Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security re...
https://blog.sucuri.net/2019/09/dissecting-the-wordpress-5-2-3-update.html
The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules....
On May 28th, a critical OS Command Injection vulnerability affecting the WP-Database-Backup plugin was disclosed to the public by the Wordfence team. This is a very nasty bug which made it p...
https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html
While investigating the Duplicate Page plugin, we have discovered a dangerous SQL Injection vulnerability. Though the plugin wasn’t abused externally, the vulnerability impacted over 800,0...
https://blog.sucuri.net/2019/04/sql-injection-in-duplicate-page-wordpress-plugin.html
Magento has released a new security update fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution. To b...
https://blog.sucuri.net/2019/03/sql-injection-in-magento-core.html
WordPress recently released an update, 5.1.1, which patches a stored XSS vulnerability in the platform’s comment system. Even 10 days after the release of this security patch, around 60% of ...
https://blog.sucuri.net/2019/03/stored-xss-patched-in-wordpress-5-1-1.html
A zero-day vulnerability has just appeared in the WordPress plugin world, affecting over 70,000 sites using the Social Warfare plugin. The plugin is vulnerable to a Stored XSS (Cross-Site Sc...
https://blog.sucuri.net/2019/03/zero-day-stored-xss-in-social-warfare.html