• WPScan 4.0.0: We’re Back

    WPScan 4.0.0 is here. We read through years of community issues. We addressed every major complaint. 75+ open issues → 0. Explicit scan control. Authentication‑based enumeration. Real‑time streaming. Consolidated codebase. This is WPScan shaped by what you asked for. You Control What Gets Scanned The #1 complaint: WPScan scanned plugins automatically, burning API requests and time you didn’t want… More

  • Unauthorized Plugin Installation/Activation in Hunk Companion

    This report highlights a vulnerability in the Hunk Companion plugin < 1.9.0 that allows unauthenticated POST requests to install and activate plugins directly from the WordPress.org repository. This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution… More

  • Identifying Traffic from Shell Finder Bots

    A shell finder is a type of reconnaissance tool that is used by threat actors to identify websites that have already been compromised and contain backdoor shells. A backdoor shell is a form of malware that is added by a threat actor after gaining unauthorized access to a website. The purpose of a backdoor shell is… More

  • Unpatched Vulnerability in TI WooCommerce Wishlist Plugin

    A Few weeks ago an Sql Injection was discovered in the TI WooCommerce Wishlist plugin. After checking closer we found another entry point, affecting over 100,000 active installs. Despite the severity of this issue, the vendor have not yet provided a patch, leading to public disclosure. The vulnerability can be exploited by unauthenticated users, allowing… More

  • Unauthenticated Privilege Escalation in Profile-Builder plugin

    During a routine audit of various WordPress plugins, we identified some issues in Profile Builder and Profile Builder Pro (50k+ active installs). We discovered an Unauthenticated Privilege Escalation Vulnerability which could allow attackers to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This vulnerability was fixed on… More

  • Object Injection vulnerability fixed in SEOPress 7.9

    During a routine audit of various WordPress plugins, we identified a few issues in SEOPress (300k+ active installs). More specifically, we discovered an authentication bug which could allow attackers to access certain protected REST API routes without having any kind of account on the targeted site. Digging deeper into what an attacker could do with this… More

  • 10 of the Best Website Security Tools to Stay Ahead of Hackers

    Which website security tools are really necessary for your site? What to consider before investing in new software. 10 must-have tools you can’t skip. More

  • The 10 Best Vulnerability Scanners for Effective Web Security

    7 factors for choosing the best vulnerability scanner. Top options compared on features, pros, cons, & pricing. 5 things that make a great scanner More

  • A persistent twist in the current Malware Campaign

    Recently while covering malware campaigns exploiting the LiteCache and WP‑Automatic WordPress plugins, we found that attackers were installing php‑everywhere, a plugin that allows users to run arbitrary PHP code in their site’s posts. This plugin was closed on April 25th per its author’s request. The reasoning behind this installation was to have persistent malware on the… More

  • Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

    If you’ve recently encountered the admin user wpsupp‑user on your website, it means it’s being affected by this wave of infections. Identifying Contamination Signs: The malware typically injects code into critical WordPress files, often manifesting as : Or in the database, when the vulnerable version of LiteSpeed Cache is exploited : decoded version: Cleanup Procedures Identifying Malicious URLs and IPs… More