The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics. Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator More Info »
W97M/Downloader Malware Dropper Served from Compromised Websites
W97M/Downloader is part of a large banking malware operation that peaked in March 2016. Bad actors have been distributing this campaign for well over a year, which serves as a doorway to Vawtrak and Dridex banking trojans. This malware campaign targets a wide array of users via their operating system and browser to deliver the More Info »
Who is Responsible for the Security of Your Website?
On a daily basis at Sucuri, we hear things like: “My host takes care of my website security.” “I have never been hacked, so why should I care?” Or here’s a personal favorite: “I’ll take care of it if (when) it happens.” Let’s be honest, no one wants to think about the possibility of their More Info »
Persistent Cross-site Scripting in WP Live Chat Support Plugin
During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin. Current State of the Vulnerability Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an attacker without any account in More Info »
WordPress Plugin Give – Stored XSS for Donors
Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page. If you are using a version lower than 2.4.7, you should More Info »
Multiple Vulnerabilities in the WordPress Ultimate Member Plugin
The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover. All of our clients behind our website firewall are already protected, and are not at risk. The three More Info »
New Guide on the Sucuri Referral Program
Referral programs and affiliate marketing opportunities can be found on many web-based company sites, however, often they’re overlooked. Commonly people consider these programs as something that they, “should leave to the professionals”. We designed our new Referral Program Guide to give clear insight into affiliate marketing for both beginners and long-term affiliates. You don’t need to More Info »
Free Website Security Consultation for GoDaddy Pros
Sucuri is partnering with GoDaddy Pro to make the internet more secure, one website professional at a time. Developers, designers, agencies, and freelancers now have an exclusive avenue to level up security knowledge and differentiate their businesses from the competition. GoDaddy Pro helps web developers and designers save time and money while managing multiple websites. More Info »
Persistent XSS via CSRF in WP Meta and Date Remover
During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress. Disclosure / Response Timeline: April 30 – Initial contact attempt May 07 – Patch is live Are More Info »
Replica Spam on Poorly Maintained ASP Site
Although the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages. The other day we cleaned an ASP site where we found a web.config file (the ASP.NET version of .htaccess) with these instructions: <add value="view.asp” /> <add value="Default.asp” /> <add More Info »
