Tag Archives: sql injection

SQL Injection Vulnerability in WP Statistics

As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the More Info »

SQL Injection Vulnerability in Joomla! 3.7

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7. The vulnerability is easy to exploit and doesn’t require a privileged account on the victim’s site. Are You at Risk? The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. If you use this version, you More Info »

SQL Injection Vulnerability in NextGEN Gallery for WordPress

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive More Info »

SQL Injection Vulnerability in Ninja Forms

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. Vulnerability Disclosure Timeline: August 11th 9:35 am, 2016 – Initial report to the Ninja Forms team August 11th 2:49 pm, 2016 – Public release of version… More Info »

Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005

It has been over 19 months since Drupalgeddon, which refers to Drupal’s Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it was a highly critical SQL Injection (SQLi) vulnerability that allowed an attacker to arbitrarily execute SQL commands remotely, leading to potential privilege escalation issues and execution of PHP code on the server.  The vulnerability… More Info »

Joomla SQL Injection Attacks in the Wild

  Last week, the Joomla team released an update patching a serious vulnerability in Joomla 3.x. This vulnerability, an SQL injection (CVE-2015-7858), allows for an attacker to take over a vulnerable site with ease. We predicted that the attacks would start in the wild very soon, due to the popularity of the Joomla platform alongRead More Info »