• Object Injection vulnerability fixed in SEOPress 7.9

    During a routine audit of various WordPress plugins, we identified a few issues in SEOPress (300k+ active installs). More specifically, we discovered an authentication bug which could allow attackers to access certain protected REST API routes without having any kind of account on the targeted site. Digging deeper into what an attacker could do with this… More

  • 10 of the Best Website Security Tools to Stay Ahead of Hackers

    Which website security tools are really necessary for your site? What to consider before investing in new software. 10 must-have tools you can’t skip. More

  • The 10 Best Vulnerability Scanners for Effective Web Security

    7 factors for choosing the best vulnerability scanner. Top options compared on features, pros, cons, & pricing. 5 things that make a great scanner More

  • A persistent twist in the current Malware Campaign

    Recently while covering malware campaigns exploiting the LiteCache and WP‑Automatic WordPress plugins, we found that attackers were installing php‑everywhere, a plugin that allows users to run arbitrary PHP code in their site’s posts. This plugin was closed on April 25th per its author’s request. The reasoning behind this installation was to have persistent malware on the… More

  • Surge of JavaScript Malware in sites with vulnerable versions of LiteSpeed Cache Plugin

    If you’ve recently encountered the admin user wpsupp‑user on your website, it means it’s being affected by this wave of infections. Identifying Contamination Signs: The malware typically injects code into critical WordPress files, often manifesting as : Or in the database, when the vulnerable version of LiteSpeed Cache is exploited : decoded version: Cleanup Procedures Identifying Malicious URLs and IPs… More

  • New Malware Campaign Targets WP-Automatic Plugin

    A few weeks ago a critical vulnerability was discovered in the plugin WP‑Automatic. This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites. The Vulnerability The vulnerability lies in… More

  • How to Secure Your Website: Top Tips From Enterprise Security Experts

    What tools do you really need to secure a website? How to stay on budget without compromising. The most serious threats and vulnerabilities. More

  • Unauthenticated Stored XSS Fixed in WordPress Core

    WordPress Core recently released v6.5.2, fixing a Stored Cross‑Site Scripting issue in the Avatar block present in the 6.x versions. While investigating the patch made, we identified that it could lead to an Unauthenticated Stored Cross‑Site Scripting issue in the worse case scenario, however this case requires a specific configuration. Versions 6.5.2, 6.4.4, 6.3.4, 6.2.5, 6.1.6… More

  • What is an SQL Injection (SQLi)? How to Prevent SQLi Attacks

    Are your systems vulnerable? Everything you need to know about SQL injection attacks. See examples and learn how to detect and prevent them. More

  • The 16 Most Common Web Application Vulnerabilities Explained

    Did you know about all of these web application vulnerabilities? See how to defend against most threats in just 5 steps. Top tools for experts. More

Blog at WordPress.com.