Tag Archives: Vulnerability Disclosure

SQL Injection Vulnerability in WP Statistics

As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues. While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites. Are You at Risk? This vulnerability is caused by the More Info »

SQL Injection Vulnerability in Joomla! 3.7

During regular research audits for our Sucuri Firewall (WAF), we discovered a SQL Injection vulnerability affecting Joomla! 3.7. The vulnerability is easy to exploit and doesn’t require a privileged account on the victim’s site. Are You at Risk? The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. If you use this version, you More Info »

SQL Injection Vulnerability in NextGEN Gallery for WordPress

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive More Info »

Content Injection Vulnerability in WordPress

As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post More Info »

Joomla Account Creation Vulnerability

The Joomla team released a serious security vulnerability affecting all Joomla versions from 3.4.4 and up. If you’re using one of these versions of Joomla, you’re encouraged to update immediately. The vulnerability has a high severity as it allows anyone to create a user remotely and specify the desired group permission to it, including administrator. Two More Info »

SQL Injection Vulnerability in Ninja Forms

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. Vulnerability Disclosure Timeline: August 11th 9:35 am, 2016 – Initial report to the Ninja Forms team August 11th 2:49 pm, 2016 – Public release of version… More Info »

Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005

It has been over 19 months since Drupalgeddon, which refers to Drupal’s Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it was a highly critical SQL Injection (SQLi) vulnerability that allowed an attacker to arbitrarily execute SQL commands remotely, leading to potential privilege escalation issues and execution of PHP code on the server.  The vulnerability… More Info »

Security Advisory: Stored XSS in Jetpack

During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The vulnerability can be easily exploited via wp-comments and we recommend everyone to update asap, if you have not done so yet. Vulnerability Disclosure Timeline:… More Info »