A Shifting Security Mindset

In the business world, cybersecurity has traditionally been viewed as a nice-to-have, rather than a mission-critical, organization-wide imperative. Transformation and growth simply haven’t shared the same conversation space as threat protection, privacy threats, and data breaches. In recent years, however, companies have begun to realize just how vulnerable they really are, and that they can … The post A Shifting Security Mindset appeared first on WP Engine.

Install OpenVAS (GVM) on Kali 2019

In this setup guide we step through the process of getting OpenVAS (GVM) running on Kali 2019. Installing OpenVAS into a Kali based system is made much easier by the inclusion of a quick setup script. When using Kali Linux for OpenVAS scanning, resource usage should always be taken into account. Whether you are running Kali in a virtual machine or on bare metal you will want to have sufficient memory and cpu available for the scanner to be optimised for speed (4 cores & 8GB should be a minimum). If you are hoping to run large numbers of parallel […]

Smart Forms <= 2.5.15 – Cross-Site Request Forgery (CSRF)


Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro

While investigating the SiteGround Optimizer and Caldera Forms Pro plugins we have discovered a critical privilege escalation vulnerability. It was not being abused externally and impacts over 500,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability. A key contributor to the criticality of these vulnerabilities is that it’s exploitable by any user (it’s not restricted to privileged users – e.g., admins) and is easy to exploit remotely. Continue reading Insufficient Privilege Validation in SiteGround Optimizer & Caldera Forms Pro at Sucuri Blog.

FormCraft <= 1.2.1 – Cross-Site Request Forgery (CSRF)


WordPress 5.1.1 Security and Maintenance Release

WordPress 5.1.1 is now available! This security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2. This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting. WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to […]

PCI for SMB: Requirement 10 & 11 – Regularly Monitor and Test Networks

Welcome to the seventh post of a series on understanding the Payment Card Industry Data Security Standard–PCI DSS. We want to show how PCI DSS affects anyone going through the compliance process using the PCI SAQ’s (Self Assessment Questionnaires). In the previous articles written about PCI, we covered the following: Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters Requirement 3 & 4: Secure Cardholder Data Requirement 5 & […]

Contact Form Email <= 1.2.65 – Multiple Cross-Site Scripting (XSS) & CSRF


XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard. At this time, any WordPress sites making use of woocommerce-abandoned-cart, […]

Spotlight on Women in Cybersecurity

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into working in cybersecurity. Spotlight on Sucuri Women in Cybersecurity We have asked some of the women who work at Sucuri 3 questions: What do you do at Sucuri? How did you decide to work with technology? What do you think the future looks like for women in cybersecurity? Continue reading Spotlight on Women in Cybersecurity at Sucuri Blog.