Tag Archives: Vulnerability Disclosure

Joomla Account Creation Vulnerability

The Joomla team released a serious security vulnerability affecting all Joomla versions from 3.4.4 and up. If you’re using one of these versions of Joomla, you’re encouraged to update immediately. The vulnerability has a high severity as it allows anyone to create a user remotely and specify the desired group permission to it, including administrator. Two More Info »

SQL Injection Vulnerability in Ninja Forms

As part of our regular research audits for our Sucuri Firewall, we discovered an SQL Injection vulnerability affecting the Ninja Forms plugin for WordPress, currently installed on 600,000+ websites. Vulnerability Disclosure Timeline: August 11th 9:35 am, 2016 – Initial report to the Ninja Forms team August 11th 2:49 pm, 2016 – Public release of version… More Info »

Drupal SQLi (Drupalgeddon) Attack Trend CVE-2014-3704 / SA-CORE-2014-005

It has been over 19 months since Drupalgeddon, which refers to Drupal’s Security Advisory (SA) SA-CORE-2014-005. For those unfamiliar with it, it was a highly critical SQL Injection (SQLi) vulnerability that allowed an attacker to arbitrarily execute SQL commands remotely, leading to potential privilege escalation issues and execution of PHP code on the server.  The vulnerability… More Info »

Security Advisory: Stored XSS in Jetpack

During regular research audits for our Sucuri Firewall (Cloud-based WAF), we discovered a stored XSS vulnerability affecting the WordPress Jetpack plugin, currently installed on more than a million WordPress sites. The vulnerability can be easily exploited via wp-comments and we recommend everyone to update asap, if you have not done so yet. Vulnerability Disclosure Timeline:… More Info »

Security Advisory: Stored XSS in bbPress

Exploitation Level: Easy/Remote DREAD Score: 6/10 Vulnerability: Stored XSS Patched Version:  bbPress 2.5.9 During regular research audits of our Sucuri Firewall, we discovered a Stored XSS vulnerability affecting the bbPress plugin for WordPress which is currently installed on 300,000 live websites – one of them being the popular wordpress.org support forum. Vulnerability Disclosure Timeline: AprilRead More Info »

Security Advisory: Stored XSS in Magento

Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 7/10 Vulnerability: Stored XSS Patched Version:  Magento CE: 1.9,2.3, Magento EE: 1.14.2.3 During our regular research audits for our Cloud-based WAF, we discovered a Stored XSS vulnerability affecting the Magento platform that can be easily exploited remotely. We notified the Magento team and worked with them toRead More Info »

Security Advisory: Stored XSS in Akismet WordPress Plugin

Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 9/10 Vulnerability: Stored XSS Patched Version:  3.1.5 During a routine audit for our WAF, we discovered a critical stored XSS vulnerability affecting Akismet, a popular WordPress plugin deployed by millions of installs. Vulnerability Disclosure Timeline: October 2nd, 2015 – Bug discovered, initial report to Automattic security team October 5th, 2015Read More Info »