WordPress 5.5.2 was released on October 30th 2020, reportedly fixing 10 security vulnerabilities. Below are the vulnerabilities that were mentioned in the release notes and that have been added to the WPScan WordPress Vulnerability Database so far, including one from our very own security researcher, Erwan. More

After several months work we have launched our brand new website for the WPScan WordPress Vulnerability Database: More

WordPress Plugin Vulnerabilities Slider by 10Web < 1.2.36 – Multiple Authenticated SQL InjectionWP Courses < 2.0.29 – Broken Access Controls leading to Courses Content DisclosureSimple:Press < 6.6.1 – Broken Access Control leading to RCEXCloner Backup and Restore < 4.2.153 – Cross-Site Request ForgeryXCloner Backup and Restore 4.2.1 – 4.2.12 – Unprotected AJAX ActionDrag and Drop… More

(We are not closing any of our other products or services, just the online WPScan.io SaaS!) WPScan.io started life in 2015 when we contracted a Rails development company to create a SaaS web front end on top of our WPScan CLI tool. Unfortunately, at that time, we only had the budget to complete around 50% of the work,… More

WordPress Plugin Vulnerabilities Recall Products <= 0.8 – Authenticated Cross-Site ScriptingRecall Products <= 0.8 – Authenticated SQL InjectionWP Smart CRM & Invoices FREE <= 1.8.7 – Authenticated Stored Cross-Site ScriptingCeceppa Multilingua <= 1.5.17 – Authenticated Reflected Cross-Site ScriptingBulk Change <= 1.0 – Authenticated Reflected Cross-Site ScriptingWP Floating Menu < 1.4.1 – Authenticated Reflected Cross-Site ScriptingSubscribe… More

WordPress Plugin Vulnerabilities Quiz And Survey Master < 7.0.0 – Authenticated Stored Cross-Site Scripting (XSS)Gallery PhotoBlocks < 1.2.0 – Authenticated Cross-Site Scripting (XSS)Comments – wpDiscuz 7.0.0 – 7.0.4 – Unauthenticated Arbitrary File UploadWooCommerce Subscriptions < 2.6.3 – Unauthenticated Stored Cross-Site Scripting (XSS)JobSearch < 1.5.6 – Unauthenticated Reflected XSSSocial Sharing Plugin < 1.2.10 – Cross-Site Request… More

This is a copy of the WPScan User Documentation. Please refer to the Github Wiki version for the most up to date information. Introduction WPScan is a free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. WPScan is written in the Ruby… More

WordPress is undisputedly the most popular Content Management System (CMS) in use today. With the most commonly quoted figure being the one published by w3techs, putting WordPress at 37.7% of all websites today (July 2020) and growing. It is no surprise then that WordPress is also the most targeted CMS by hackers. Despite what some believe, WordPress… More

WordPress Core Vulnerabilities WordPress < 5.4.2 – Disclosure of Password-Protected Page/Post CommentsWordPress < 5.4.2 – Misuse of set-screen-option Leading to Privilege EscalationWordPress < 5.4.2 – Authenticated XSS via Theme UploadWordPress < 5.4.2 – Open RedirectionWordPress < 5.4.2 – Authenticated XSS via Media FilesWordPress < 5.4.2 – Authenticated XSS in Block Editor More

Yesterday, June 10th, WordPress released version 5.4.2, which was a security and maintenance release. Version 5.4.2 of WordPress fixes 6 separate security issues. Three of which addressed authenticated Cross-Site Scripting (XSS) vulnerabilities. One addressing an potential Open Redirect vulnerability. One privilege escalation vulnerability, and one issue where password protected posts and pages comments could be exposed in certain… More