Ninja Forms <= 3.3.17 – Unauthenticated Cross-Site Scripting (XSS)

Real-Time Fine-Tuning of the WAF via API
Though the Sucuri Firewall is simple to set up and protects your website immediately, it’s possible to have granular control of the WAF by using an API. For instance, there’s a specific filter inside the WAF dashboard called Emergency DDoS. This filter basically increases the strength of the DDoS protection to an “emergency” level where most non-human access is blocked. API to Boost Firewall Protection The Firewall API is mostly used for whitelisting and clearing the website cache. Continue reading Real-Time Fine-Tuning of the WAF via API at Sucuri Blog.

Hackers Change WordPress Siteurl to Pastebin
Last Friday, we reported on a hack that used a vulnerability in the popular WP GDPR Compliance plugin to change WordPress siteurl settings to erealitatea[.]net. At that time it was not clear who was behind the massive attack, since the erealitatea[.]net domain didn’t work and the infection simply broke the compromised sites. Our SiteCheck scanner detected the infection on about 700 sites over the weekend and PublicWWW now currently returns 573 results. Continue reading Hackers Change WordPress Siteurl to Pastebin at Sucuri Blog.

mTheme-Unus Theme – Local File Inclusion (LFI)

Accelerated Mobile Pages <= – Multiple Unauthenticated Vulnerabilities

Better WordPress reCAPTCHA <= 2.0.3 – Unauthenticated Cross-Site Scripting (XSS)

Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability
We have noticed a growing number of WordPress-based sites that have had their URL settings changed to hxxp://erealitatea[.]net. Further investigations show that the issue is related to a security vulnerability in the WP GDPR Compliance plugin for WordPress (with 100,000+ active installations). The new General Data Protection Regulation (GDPR) laws in the EU have made the plugin extremely popular. Many sites are looking for an easy way to comply with these new laws, and adding this plugin is a simple solution for many website owners. Continue reading Erealitatea[.]net Hack Corrupts Websites with WP GDPR Compliance Plugin Vulnerability at Sucuri Blog.

Trends Emerging Following Vulnerability In WP GDPR Compliance Plugin
Earlier this week the WP GDPR Compliance plugin was briefly removed from the repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking to exploit this new attack vector. Today, we’re sharing the findings of this extended research. This post is technical in nature and will be helpful for network defenders, developers and security researchers. This post is Copyright 2018 Defiant, Inc. and was published on the […]

Media File Manager <= 1.4.2 – Authenticated Multiple Vulnerabilities

WP GDPR Compliance <= 1.4.2 – Unauthenticated Call Any Action or Update Any Option