• Arbitrary Plugin Installation Vulnerability In Formidable Forms

    During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites. The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead to… More

  • WordPress VIP Integrates WPScan to Flag Potential Vulnerabilities with Major Sites Before They Go to Production

    WordPress VIP hosts many of the largest sites on the web, and as such these sites are likely targets of cyber attacks. Sites hosted by WordPress VIP can’t afford to have a vulnerability live for a single minute. That’s a tough ask for site managers given that there are more than 38,000 known WordPress vulnerabilities,… More

  • Uncovering a PHAR Deserialization Vulnerability in WP Meta SEO and Escalating to RCE

    During an internal audit, the WPScan team found a vulnerability in the WP Meta SEO plugin. This vulnerability allows attackers with at least Author privileges to upload and deserialize a PHAR file, leading to arbitrary PHP object deserialization. We were able to escalate this vulnerability to remote code execution, without the need for additional code… More

  • WP Engine’s Security Team Creates Custom Workflow with WPScan to Protect Clients

    CASE STUDY How WP Engine automates security for over 1.5 million customer sites with WPScan. The Hero: WP Engine The Problem “We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else.” — Brent Stackhouse,… More

  • What is a brute force attack?

    A brute force attack is a type of cyberattack where the attacker uses an automated system to try different combinations of username and password until they find the correct combination. This can be done by using a dictionary of common words or by using a list of common passwords. The attacker will keep trying different… More

  • SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro

    During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low‑privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames and… More

  • WordPress Black Box Testing Basics

    If you’re a security researcher looking for a thorough testing method, black box testing should be at the top of your list. Involving an outside perspective to test an application’s or system’s core functionality and security, black box testing is becoming increasingly popular among organizations that need to ensure their infrastructure can withstand any breach attempt.… More

  • Fake plugin affecting WordPress sites

    Bad actors are abusing leaked and compromised credentials to install core-stab fake plugin on WordPress sites. More

  • WordPress VIP Adds WPScan to Codebase Manager

    WordPress VIP, Automattic’s managed WordPress hosting platform for enterprise and large‑scale websites, is excited to announce they have incorporated WPScan into the WordPress VIP Codebase Manager. WPScan’s market‑leading security technology brings enhanced, proactive protection and threat detection for WordPress VIP enterprise customers, including continuous monitoring of existing plugins and alerts for potential vulnerabilities. Improved security empowers customers… More

  • Protecting your WordPress website against SQL injection attacks

    If you own a WordPress website, then chances are you’ve heard of SQL injections in WordPress. These malicious attacks can wreak havoc on your website and leave it vulnerable to hackers. Fortunately, there are steps you can take to protect your website from the threat of a WordPress SQL injection attack. Let’s explore what is… More

Blog at WordPress.com.