WP Site Protect 1.0 – Cross-Site Scripting (XSS)


Dave’s WordPress Live Search <= 4.5 – Reflected Cross-Site Scripting (XSS)


Site Editor <= 1.1.1 – Local File Inclusion (LFI)


Super Socializer

Proof of Concept// Steps: // Fill this 3 variable var url = ‘http://my-site.com/wordpress/’, //website url. Closing slash required email = ‘john.doe@my-site.com’, //The admin email address to exploit nonce = ‘e86377d05a’; // View the source of the login page: http://my-site.com/wordpress/wp-login.php and search for `security`. copy here the nonce value Ex.: var the_champ_sl_ajax_token = {“ajax_url”:”http://my-site.com/wordpress/wp-admin/admin-ajax.php”,”security”:”e86377d05a”}; // Click on Run in JsFiddle and

WP Job Manager <= 1.29.2 – Unauthenticated Object Injection


WP Support Plus Responsive Ticket System <= 9.0.2 – Multiple Authenticated SQL Injection


Ask Wordfence: Why Is an Insignificant Site Like Mine Being Attacked?

This entry was posted in Ask Wordfence, WordPress Security on March 14, 2018 by Dan Moen   0 Replies This question came in from Keith, a Premium Wordfence customer. We’ve dealt with this question a few times in different ways on the blog, but pulling it all together sounds like a great post. Let’s dive in! At a high level, an attacker views

PSA: Replace Your SSL/TLS Certs by Symantec, Thawte, VeriSign, Equifax, GeoTrust and RapidSSL

This entry was posted in General Security, WordPress Security on March 12, 2018 by Mark Maunder   0 Replies This is a public service announcement and a reminder to site owners. Google’s Chrome browser has already started the process of ending support for Symantec SSL/TLS certificates. This includes companies owned by Symantec including Thawte, Verisign, Equifax, GeoTrust and RapidSSL. Chrome 66 is ending support

WP Retina 2x <= 5.2.0 – Cross-Site Scripting (XSS)


Import any XML or CSV File to WordPress <= 3.4.6 – Cross-Site Scripting (XSS)