A brute force attack is a type of cyberattack where the attacker uses an automated system to try different combinations of username and password until they find the correct combination. This can be done by using a dictionary of common words or by using a list of common passwords. The attacker will keep trying different…More
SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro
During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames…More
WordPress Black Box Testing Basics
If you’re a security researcher looking for a thorough testing method, black box testing should be at the top of your list. Involving an outside perspective to test an application’s or system’s core functionality and security, black box testing is becoming increasingly popular among organizations that need to ensure their infrastructure can withstand any breach…More
Fake plugin affecting WordPress sites
Bad actors are abusing leaked and compromised credentials to install core-stab fake plugin on WordPress sites.More
WordPress VIP Adds WPScan to Codebase Manager
WordPress VIP, Automattic’s managed WordPress hosting platform for enterprise and large-scale websites, is excited to announce they have incorporated WPScan into the WordPress VIP Codebase Manager. WPScan’s market-leading security technology brings enhanced, proactive protection and threat detection for WordPress VIP enterprise customers, including continuous monitoring of existing plugins and alerts for potential vulnerabilities. Improved security…More
Protecting your WordPress website against SQL injection attacks
If you own a WordPress website, then chances are you’ve heard of SQL injections in WordPress. These malicious attacks can wreak havoc on your website and leave it vulnerable to hackers. Fortunately, there are steps you can take to protect your website from the threat of a WordPress SQL injection attack. Let’s explore what is…More
What to do about a blind SSRF vulnerability affecting WordPress Core
We have been hearing questions from WPScan clients about a long-standing vulnerability that has been present in the WordPress software for some time, but we only recently added it to our threat database, so that’s why it has just appeared in results. However, the vulnerability is not new. There is not currently a fix or…More
The Complete Checklist for WordPress Security Leaders
Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders. Best Practices for Your WordPress Website Essential Tips for WordPress Plugin Security General Password Hygiene Web Security Guidelines Computer Security Recommendations Guidelines for Phones…More
Vulnerabilities Discovered in the 3DPrint Premium Plugin
The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. We are also sharing information on this vulnerability over on the Jetpack blog. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories…More
A Note On CSV Injection Reports
We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify…More