If you’re a security researcher looking for a thorough testing method, black box testing should be at the top of your list. Involving an outside perspective to test an application’s or system’s core functionality and security, black box testing is becoming increasingly popular among organizations that need to ensure their infrastructure can withstand any breach…More
Fake plugin affecting WordPress sites
Bad actors are abusing leaked and compromised credentials to install core-stab fake plugin on WordPress sites.More
WordPress VIP Adds WPScan to Codebase Manager
WordPress VIP, Automattic’s managed WordPress hosting platform for enterprise and large-scale websites, is excited to announce they have incorporated WPScan into the WordPress VIP Codebase Manager. WPScan’s market-leading security technology brings enhanced, proactive protection and threat detection for WordPress VIP enterprise customers, including continuous monitoring of existing plugins and alerts for potential vulnerabilities. Improved security…More
Protecting your WordPress website against SQL injection attacks
If you own a WordPress website, then chances are you’ve heard of SQL injections in WordPress. These malicious attacks can wreak havoc on your website and leave it vulnerable to hackers. Fortunately, there are steps you can take to protect your website from the threat of a WordPress SQL injection attack. Let’s explore what is…More
What to do about a blind SSRF vulnerability affecting WordPress Core
We have been hearing questions from WPScan clients about a long-standing vulnerability that has been present in the WordPress software for some time, but we only recently added it to our threat database, so that’s why it has just appeared in results. However, the vulnerability is not new. There is not currently a fix or…More
Vulnerabilities Discovered in the 3DPrint Premium Plugin
The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. We are also sharing information on this vulnerability over on the Jetpack blog. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories…More
A Note On CSV Injection Reports
We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify…More
A Note On 2FA Plugin Vulnerabilities
We’ve been alerted that certain vendors are using suboptimal secret management techniques to handle (H/T)OTP encryption keys, which leads to them not bringing any additional security value. Examples we’ve received include storing the encryption key on the database alongside the shared secret it encrypted or using the same key for all sites using the plugin.…More
Writing Good Submissions
We receive a non-negligible amount of submissions every day. We model the risk they represent for site owners, figure out what kind of privilege is required to successfully exploit the issue, and forward the information to plugin and theme authors to get it fixed. This is can get pretty time-consuming, especially when we need to…More
WPScan Acquired by Automattic
We are very excited to let you know that WPScan will be joining Automattic! WPScan has been working on improving the WordPress security ecosystem for over 10 years. During that time we released our wildly popular WordPress security scanner. We then developed and released the WordPress vulnerability database, where we triage and record hundreds of…More