Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders.  Best Practices for Your WordPress Website Essential Tips for WordPress Plugin Security General Password Hygiene Web Security Guidelines Computer Security Recommendations Guidelines for Phones and Tablets Phew. That’s it. Did More

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. We are also sharing information on this vulnerability over on the Jetpack blog. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories More

We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify More

We’ve been alerted that certain vendors are using suboptimal secret management techniques to handle (H/T)OTP encryption keys, which leads to them not bringing any additional security value. Examples we’ve received include storing the encryption key on the database alongside the shared secret it encrypted or using the same key for all sites using the plugin. We More

We receive a non‑negligible amount of submissions every day. We model the risk they represent for site owners, figure out what kind of privilege is required to successfully exploit the issue, and forward the information to plugin and theme authors to get it fixed. This is can get pretty time-consuming, especially when we need to scavenge More

We are very excited to let you know that WPScan will be joining Automattic! WPScan has been working on improving the WordPress security ecosystem for over 10 years. During that time we released our wildly popular WordPress security scanner. We then developed and released the WordPress vulnerability database, where we triage and record hundreds of WordPress More

Bit Discovery have been using the WPScan WordPress security scanner and the WPScan Enterprise API for some time to add WordPress scanning functionality to their offering. We thought that it would be a good idea to introduce our readers to what Attack Surface Mapping is, and how organisations can benefit from it. To do this, More

WPScan has collaborated with Wordfence to conduct a 2021 mid-year review on the state of WordPress security. Using vulnerability data from WPScan’s WordPress vulnerability database and attack data from Wordfence’s internal threat intelligence platform, we were able to analyze the current trend of attacks on WordPress and assess the current state of WordPress-based software security.  More

There are many reasons to submit WordPress core, plugin vulnerabilities and theme vulnerabilities to the WPScan WordPress vulnerability database. We’ve listed just a few below! 1. Responsible Disclosure Our team will help you with the vulnerability responsible disclosure process. Submit the vulnerability details to us and we will ensure that the vulnerability is handled properly. We will More

In this blog post we are going to look at the vulnerabilities added to the WPScan WordPress Vulnerability Database in July 2021. The vulnerabilities were all hand curated and added to our database by WordPress security experts. The vulnerabilities come from independent security researchers from the security community who submit them to us via our More