Author: Marc Montpas

  • Unauthenticated Stored XSS Fixed in WordPress Core

    WordPress Core recently released v6.5.2, fixing a Stored Cross‑Site Scripting issue in the Avatar block present in the 6.x versions. While investigating the patch made, we identified that it could lead to an Unauthenticated Stored Cross‑Site Scripting issue in the worse case scenario, however this case requires a specific configuration. Versions 6.5.2, 6.4.4, 6.3.4, 6.2.5, 6.1.6… More

  • File Inclusion Vulnerability Fixed In Essential Blocks 4.4.3

    During an analysis of the Essential Blocks plugin, we discovered a pretty serious Local File Inclusion vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site. When successfully exploited, this vulnerability may let attackers include arbitrary files hosted on the server to be parsed and executed as PHP… More

  • Stored XSS Fixed In WP Go Maps 9.0.28

    During an analysis of the WP Go Maps plugin (formerly WP Google Maps), we discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site. When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed… More

  • Stored XSS Fixed In Popup Builder 4.2.3

    During an analysis of the Popup Builder plugin, we discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site. When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted… More

  • Finding A RCE Gadget Chain In WordPress Core

    During a recent team gathering in Belgium, we had an impromptu Capture The Flag game that included a challenge with an SQL Injection vulnerability occurring inside an INSERT statement, meaning attackers could inject random stuff into the targeted table’s columns, and query information from the database, the intended “flag” being the credentials of a user… More

  • Email Leak Oracle Vulnerability Addressed in WordPress 6.3.2

    During a thorough analysis of WordPress’ internals, we discovered a subtle bug that allowed unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website. If successfully exploited, attackers could gather email addresses, putting user privacy at risk. Upon identifying the vulnerability, we promptly alerted the WordPress team, who released… More

  • Arbitrary Plugin Installation Vulnerability In Formidable Forms

    During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites. The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead to… More

  • SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro

    During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low‑privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames and… More

  • A Note On CSV Injection Reports

    We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify… More

Blog at WordPress.com.