Stored XSS in MyBB
The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules. What Are the Risks? Unpatched websites could allow bad actors to send booby-trapped posts or private messages to users. These would execute rogue JavaScript code when opened, momentarily giving the attacker’s scripts all privileges to the targeted account. If administrators are targeted, successful attacks could trick their browser into hacking their own site by executing code on the server and grant full power over the site to the assailants. […]

FTP Logs Used to Determine Attack Vector
Logs can be very useful because they are a record of what was done by whom. They are especially useful when you need to find out more on how a website has been compromised. Since our job at Sucuri is to clean website malware, we don’t have any access to logs, or what we can see is very limited. However, to help make the internet a safer place, we like to extend ourselves and conduct some forensics to investigate how some accounts are compromised. Continue reading FTP Logs Used to Determine Attack Vector at Sucuri Blog.

Return to the City of Cron – Malware Infections on Joomla and WordPress
We recently had a client that had a persistent malware infection on their shared hosting environment that would re-infect the files quickly after we had cleaned them. The persistence was being created by a cron that was scheduled to download malware from a third party domain. Persistent Malware Infection on WordPress and Joomla Websites This persistent website malware infection made us remember a blog post we posted back in 2014. As it turns out, the malware operated almost identically — and in this more recent case, it was infecting a WordPress website. Continue reading Return to the City of Cron […]

Free Website Security Consultation for GoDaddy Pros
Sucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level up security knowledge and differentiate their businesses from the competition. GoDaddy Pro helps web developers and designers save time and money while managing multiple websites. The free membership includes extensive training materials, automation of routine maintenance tasks, and consolidated client management tools. Continue reading Free Website Security Consultation for GoDaddy Pros at Sucuri Blog.

Persistent XSS via CSRF in WP Meta and Date Remover
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress. Disclosure / Response Timeline: April 30 – Initial contact attempt May 07 – Patch is live Are You at Risk? This vulnerability requires some level of social engineering to be exploited. Continue reading Persistent XSS via CSRF in WP Meta and Date Remover at Sucuri Blog.

Replica Spam on Poorly Maintained ASP Site
Although the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages. The other day we cleaned an ASP site where we found a web.config file (the ASP.NET version of .htaccess) with these instructions: <configuration>    <system.webServer>        <defaultDocument enabled=”true”>            <files>                <clear />                <add value=”view.asp” />                <add value=”Default.asp” />                <add value=”index.htm” />                <add value=”index.html” />                <add value=”iisstart.htm” />                <add value=”default.aspx” />                <add value=”index.asp” />                <add value=”index.aspx” />            </files>        </defaultDocument> … Continue reading Replica Spam on Poorly Maintained ASP Site at Sucuri Blog.

Cronjob Backdoors
Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors. A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment. Backdoor in Cron While investigating a client with repeated website infections, we came across a scenario where a cron job was being used to reinfect the site. Continue reading Cronjob Backdoors at Sucuri Blog.

Insufficient Privilege Validation in WooCommerce Checkout Manager
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately. As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is. Current State of the Vulnerability This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. Continue reading Insufficient Privilege Validation in WooCommerce Checkout Manager at Sucuri […]

Typo 3 Spam Infection
Here at Sucuri most of the malware that we deal with is on CMS platforms like: WordPress, Joomla, Drupal, Magento, and others. But every now and then we come across something a little different. Blackhat SEO Infection in Typo3 Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection: Typo3 CMS Before I begin, according to, Typo3 is currently the 8th most widely used CMS platform on the web, so I’m surprised I had never seen an infection with this software before, but it looks like over half a […]

Plugins Added to Malicious Campaign
We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts. Plugins Added to the Attack Download WP Inventory Manager (version <= 1.8.2) Woocommerce User Email Verification.  (version <= 3.3.0  **Still Not Fixed**) Attackers are trying to exploit vulnerable versions of these plugins. Continue reading Plugins Added to Malicious Campaign at Sucuri Blog.