Stolen Payment Data: Infected Ecommerce Website to Darknet Markets
The final actor of the stolen payment data supply chain is the end user. Rather than just selling or reselling payment data, the end user plans on fraudulently monetizing it. This malicious end user typically buys payment data in limited quantities, since: The price per stolen data greatly increases from when it was originally sold by the source. There’s an unknown amount of time until the financial institution revokes the issued stolen data. Continue reading Stolen Payment Data: Infected Ecommerce Website to Darknet Markets at Sucuri Blog.

Appointment Hour Booking <= 1.1.45 – Stored Cross-Site Scripting (XSS)

WordPress Vulnerability Roundup: July 2019, Part 1
New WordPress plugin and theme vulnerabilities were disclosed during the first half of this month, so we want to keep you aware. We divide the WordPress Vulnerability Roundup into four different categories: 1. WordPress core 2. WordPress Plugins 3. WordPress Themes 4. Breaches From Around the Web *We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site. WordPress Core […]

Ultra Simple Paypal Shopping Cart <= 4.4 – Cross-Site Request Forgery (CSRF)

The Cost of a Hacked Website – Survey
As part of our commitment to the website security community, we want to know the true impacts of a website compromise from the owner’s perspective. If you are a business that has dealt with any type of website attack, your participation in this six-minute survey will help us improve our services and support website owners like yourself. START SURVEY NOW Be on the lookout for our results summary later this summer! Continue reading The Cost of a Hacked Website – Survey at Sucuri Blog.

Critical Vulnerability Patched in Ad Inserter Plugin
Description: Authenticated Remote Code ExecutionAffected Plugin: Ad InserterAffected Versions: <= 2.4.21CVSS Score: 9.9 (Critical)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H On Friday, July 12th, our Threat Intelligence team discovered a vulnerability present in Ad Inserter, a WordPress plugin installed on over 200,000 websites. The weakness allowed authenticated users (Subscribers and above) to execute arbitrary PHP code on websites using the plugin. We privately disclosed the issue to the plugin’s developer, who released a patch the very next day. This is considered a critical security issue, and websites running Ad Inserter 2.4.21 or below should be updated to version 2.4.22 right away. On the same […]

Podcast Episode 29: iThemes Security Creator Chris Wiegman on Flying, Plugins & Developer Tools
At WordCamp Atlanta, Mark sat down with Chris Wiegman, the creator of Better WP Security. Now known as iThemes Security, it is installed on over 900,000 WordPress sites. Chris talks about his experiences as a flight captain flying over the Hawaiian islands and what happened when an earthquake occurred shortly after takeoff. He also talks about why he created Better WP Security, the process of selling the plugin to iThemes and the tools he’s created in his new role at WP Engine. He describes his move from iThemes to WP Engine as “the move I didn’t know I needed to […]

Ad Inserter <= 2.4.19 – Authenticated Path Traversal

Hybrid Composer <= 1.4.6 – Unauthenticated Options Update

FV Flowplayer Video Player <= – SQL Injection