2J SlideShow < 1.3.40 – Authenticated Arbitrary Plugin Deactivation


Contextual Adminbar Color < 0.3 – Authenticated Stored Cross-Site Scripting Issue


Batch-Move Posts <= 1.5 – Broken Authentication leading to Unauthenticated Stored XSS


Marketo Forms and Tracking <= 1.0.2 – CSRF to XSS


Resim Ara <= 3.0 – Unauthenticated Reflected XSS


How to eliminate false positives in file integrity monitoring on WordPress

File integrity monitoring (FIM) allows you to quickly detect file changes on your WordPress site. It is an important part of securing a WordPress site and the way it works is very simple: it compares baseline cryptographic hashes to the current hash of the monitored files. When a change happens, you get an alert. However, there is a major problem with unsophisticated approaches to file integrity monitoring: false positives (aka false alarms). Not all file changes on a WordPress website are harmful, or a sign of an attack. Many are harmless and expected parts of maintenance. So false positives lead […]

Chained Quiz < – Reflected XSS


WP Database Reset < 3.15 – Privilege Escalation


WP Database Reset < 3.15 – Unauthenticated Database Reset


Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin

On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request. These are considered critical security issues that can cause complete site reset and/or takeover. We highly recommend updating to the latest version (3.15) immediately. Wordfence […]