Zero-Day RCE in vBulletin v5.0.0-v5.5.4

A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the Full Disclosure mailing list this past Monday. This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. Am I At Risk? At the time of writing this, More Info »

Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure

At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration. This is why we have an application profiling engine in the Sucuri Firewall that adapts to the More Info »

Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure

At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration. This is why we have an application profiling engine in the Sucuri Firewall that adapts to the More Info »

Fake SSO Used In Multi-Email Provider Phishing

Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using More Info »

Fake Human Verification Spam

We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin. More Info »

Misuse of WordPress update_option() function Leads to Website Infections

In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of  WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data More Info »

Dissecting the WordPress 5.2.3 Update

Last week, WordPress released version 5.2.3 which was a security and maintenance update, and as such, contained many security fixes. Part of our day to day work is to analyse these security releases, discover what security issue it is fixing and come up with a Proof of Concept for further internal testing. Based on our More Info »

How to Audit & Cleanup WordPress Plugins & Themes

In an interview with Smashing Magazine our CoFounder (now Head of Security Products at GoDaddy) Tony Perez was asked the following question. What Makes WordPress Vulnerable? “Here’s the simple answer. Old versions of WordPress, along with theme and plugin vulnerabilities, multiplied by the CMS’ popularity, with the end user thrown into the mix, make for More Info »