Easy Table – Authenticated Stored Cross-Site Scripting (XSS)

https://wpvulndb.com/vulnerabilities/8737

SEO is one of the primary reasons websites get hacked

https://secupress.me/blog/website-hacked-for-seo-spam/
Did you think hackers were just nefarious for the sake of being nefarious? That’s not the case. Google makes it clear in their webmaster channel that SEO is a big motivator for hackers. Once hackers get into your WordPress, it can be very tricky to remove their code. Another thing to keep in mind is that most black SEO experts go

Why Would a Malicious Hacker Target Your WordPress?

https://www.wpwhitesecurity.com/wordpress-security/why-malicious-hacker-target-wordpress/
We’ve all heard it on the news; hackers want to hack websites to steal credit card and confidential user information for their own financial gains. So why on earth would anyone want to hack into your hobby WordPress website about cute little kittens, or your small business website, even when it does not hold any sensitive information? The hacking to steal

WordPress Shutdowns Discussion of Their Refusal to Warn About Unfixed Vulnerable Plugins

https://www.pluginvulnerabilities.com/2017/02/17/wordpress-shutdowns-discussion-of-their-refusal-to-warn-about-unfixed-vulnerable-plugins/
Since 2012 we have been trying to get WordPress to start warning webmasters when their websites are using plugins that have been removed from the Plugin Directory due to security issues (and notify people in general that they are using plugins that have been removed from it). In the past WordPress’ position was that they were working on implementing this, but as of

Reflected Cross-Site Scripting (XSS) Vulnerability in Time Sheets

https://www.pluginvulnerabilities.com/2017/02/17/reflected-cross-site-scripting-xss-vulnerability-in-time-sheets/
We recently found that the Time Sheets plugin contains a reflected cross-site scripting (XSS) vulnerability on one the plugin’s admin pages, Old Timesheets. As of version 1.3.1, in the file /entry.php the GET inputs “start_date”, “end_date”, and “include_completed” were echo’d out with being sanitized or escaped to prevent malicious code from being placed on the page: $start_date = $_GET[‘start_date’]; $end_date

Open Redirect Vulnerability in GTranslate

https://www.pluginvulnerabilities.com/2017/02/17/open-redirect-vulnerability-in-gtranslate/
Recently while looking in to what turned out to be unrelated probing from a hacker for WordPress plugins we took a look at the plugin GTranslate and found that it has an open redirect vulnerability. In the file /url_addon/gtranslate.php a redirect will occur if two variables are the same: 30 31 32 33 if($glang

WordPress Security – Fake TrafficAnalytics Website Infection

http://feedproxy.google.com/~r/sucuri/blog/~3/scsaHEscVcQ/fake-trafficanalytics-website-infection.html
Several months ago, our research team identified a fake analytics infection, known as RealStatistics. The malicious Javascript injection looks a lot like tracking code for a legitimate analytics service. RealStatistics even set up fake analytics websites designed to trick webmasters who took a few steps to investigate the unfamiliar script. Recently, a new variation of this type of infection has

Arbitrary File Download Vulnerability in WP Hide Security Enhancer 1.3.9.2

https://secupress.me/blog/arbitrary-file-download-vulnerability-in-wp-hide-security-enhancer-1-3-9-2/
About Julio Potier All of Julio Potier’s posts Co-founder of WP Media, french startup of 14 passionates, known for WP Rocket and Imagify. Julio is also co-organisator of WordCamp Paris. Compulsive speaker and WordPress expert, he’s a specialist in security for years and contribute to WordPress various ways.

Wordfence In Depth: How Malware Becomes Scan Signatures

https://www.wordfence.com/blog/2017/02/malware-to-scan-signatures/
This entry was posted in Research, Wordfence on February 16, 2017 by Mark Maunder   0 Replies One of the most effective ways the Wordfence team keeps the WordPress community and customers secure is through something we call the ‘Threat Defense Feed’. This is a combination of people, software, business processes and data. It’s an incredibly effective way to keep hackers

Applying the Lessons of Recent WordPress Defacements to the Handling of Plugins on Your Website

https://www.pluginvulnerabilities.com/2017/02/13/applying-the-lessons-of-recent-wordpress-defacements-to-the-handling-of-plugins-on-your-website/
Recently quite a few WordPress websites (though not as many as the inflated claims by Wordfence and other security companies would have you believe) have been defaced due in large part to improper handling of security by the webmasters of those websites. While an exploitable vulnerability existed in 4.7.0 and 4.7.1, most websites running WordPress 4.7 at the time were protected