What is a brute force attack?

A brute force attack is a type of cyberattack where the attacker uses an automated system to try different combinations of username and password until they find the correct combination. This can be done by using a dictionary of common words or by using a list of common passwords. The attacker will keep trying different…More

SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames…More

WordPress Black Box Testing Basics

If you’re a security researcher looking for a thorough testing method, black box testing should be at the top of your list. Involving an outside perspective to test an application’s or system’s core functionality and security, black box testing is becoming increasingly popular among organizations that need to ensure their infrastructure can withstand any breach…More

WordPress VIP Adds WPScan to Codebase Manager

WordPress VIP, Automattic’s managed WordPress hosting platform for enterprise and large-scale websites, is excited to announce they have incorporated WPScan into the WordPress VIP Codebase Manager. WPScan’s market-leading security technology brings enhanced, proactive protection and threat detection for WordPress VIP enterprise customers, including continuous monitoring of existing plugins and alerts for potential vulnerabilities. Improved security…More

Protecting your WordPress website against SQL injection attacks

If you own a WordPress website, then chances are you’ve heard of SQL injections in WordPress. These malicious attacks can wreak havoc on your website and leave it vulnerable to hackers. Fortunately, there are steps you can take to protect your website from the threat of a WordPress SQL injection attack. Let’s explore what is…More

What to do about a blind SSRF vulnerability affecting WordPress Core

We have been hearing questions from WPScan clients about a long-standing vulnerability that has been present in the WordPress software for some time, but we only recently added it to our threat database, so that’s why it has just appeared in results. However, the vulnerability is not new. There is not currently a fix or…More

The Complete Checklist for WordPress Security Leaders

Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders.  Best Practices for Your WordPress Website Essential Tips for WordPress Plugin Security General Password Hygiene Web Security Guidelines Computer Security Recommendations Guidelines for Phones…More

Vulnerabilities Discovered in the 3DPrint Premium Plugin

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. We are also sharing information on this vulnerability over on the Jetpack blog. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories…More

A Note On CSV Injection Reports

We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify…More

A Note On 2FA Plugin Vulnerabilities

We’ve been alerted that certain vendors are using suboptimal secret management techniques to handle (H/T)OTP encryption keys, which leads to them not bringing any additional security value. Examples we’ve received include storing the encryption key on the database alongside the shared secret it encrypted or using the same key for all sites using the plugin.…More