-
Two Vulnerabilities Fixed in Super Progressive Web Apps WordPress Plugin
The WPScan WordPress security research team identified two serious vulnerabilities affecting the Super Progressive Web Apps WordPress plugin, affecting over 50,000+ WordPress websites. Our users were warned about these vulnerabilities on June 29th, 2021 when they were added to our database. Authenticated (subscriber+) Arbitrary File Upload to RCE Description When the plugin’s Apple Touch Icons & Splash…
-
Why Admin XSS Is a Valid Security Issue
By default, WordPress allows administrator and editor users to inject JavaScript into pages, posts, comments and widgets. This is because administrator and editor users have the unfiltered_html capability. Here at WPScan it is quite common to receive vulnerability reports via our submission form where the security researcher was not aware that administrator and editor users are…
-
Coding Mistake Leads to CSRF Bypass in 200,000+ WordPress Websites
In March, the WPScan WordPress security research team discovered Cross‑Site Request Forgery (CSRF) protection bypasses in 37 WordPress plugins, affecting over 200,000+ active WordPress websites. The vulnerabilities were responsibly disclosed, resulting in the 37 plugins either being patched or removed from the official WordPress plugin repository. Cross‑Site Request Forgery (CSRF) is a vulnerability that can allow an…
-
Subscribe
Subscribed
Already have a WordPress.com account? Log in now.
WPScan 