Tag Archives: Vulnerability Disclosure

Icegram Persistent Cross-Site Scripting

Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and slide-in messengers. Versions 1.10.28.2 and lower are affected by a persistent Cross-Site Scripting in the admin area. This plugin has over 40,000 installations and any attacker with a subscriber account More Info »

Stored XSS in MyBB

The open source PHP forum software myBB recently published a new update, version 1.8.21. This is a security release fixing a Stored XSS vulnerability in the private messaging and post modules. What Are the Risks? Unpatched websites could allow bad actors to send booby-trapped posts or private messages to users. These would execute rogue JavaScript More Info »

Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics. Versions below 4.8.1 are affected by an unauthenticated stored XSS on the administrator More Info »

Persistent Cross-site Scripting in WP Live Chat Support Plugin

During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the  WP Live Chat Support  WordPress plugin. Current State of the Vulnerability Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an attacker without any account in More Info »

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover. All of our clients behind our website firewall are already protected, and are not at risk. The three More Info »

ThinkPHP 5.x Remote Code Execution

Earlier this year, we noticed an increase in attacks aiming at ThinkPHP, which is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar: POST: /index.php?s=captcha HTTP/1.1 Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig In December 2018, a working exploit was released for the versions v5.0.23 and More Info »