The last few days has brought about a massive influx of broken WordPress websites. What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break. While we’re still researching, we do want to share share some observations: This infection is aimed at websites built on the […]
Archive by Author
SQL Injection Vulnerability – vBulletin 5.x
The vBulletin team just released a security patch for vBulletin 5.0.4, 5.0.5, 5.1.0, 5.1.1, and 5.1.2 to address a SQL injection vulnerability on the member list page. Every vBulletin user needs to upgrade to the latest version asap. vBulletin is a very popular forum sofware used on more than 100,000 web sites. Directly from vBulletin.com: […]
Disclosure: Insecure Nonce Generation in WPTouch
If you use the popular WPTouch plugin (5m+ downloads) on your WordPress website, you should update it immediately. During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files […]
Website Malware – Mobile Redirect to BaDoink Porn App
A few weeks ago we reported that we were seeing a huge increase in the number of web sites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device (IPhone, […]
Simplifying the language of website security
A couple of weeks ago, the Sucuri team was at HostingCon. We rubbed elbows with the people who bring your websites to the world and spoke at length with them about the importance of website security. However, the most interesting conversation we had over the whole week was with a small business owner on vacation […]
Ask Sucuri: Who is logging into my WordPress site?
Today, we’re going to revisit our Q&A series. If you have any questions about malware, blacklisting, or security in general, send them to us at: [email protected]. For all the “Ask Sucuri” answers, go here. Question: How do I know who is logging into my WordPress site? Answer: One of the most basic and important security […]
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
Marc-Alexandre Montpas, from our research team, found a serious security vulnerability in the MailPoet WordPress plugin. This bug allows an attacker to upload any file remotely to the vulnerable website (i.e., no authentication is required). This is a serious vulnerability, The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin (over 1,700,000 downloads). This vulnerability […]
TimThumb WebShot Code Execution Exploit (0-day)
If you are still using Timthumb after the serious vulnerability that was found on it last year, you have one more reason to be concerned. A new 0-day was just disclosed on TimThumb’s “Webshot” feature that allows for certain commands to be executed on the vulnerable website remotely (no authentication required). With a simple command, […]
SPAM Hack Targets WordPress Core Install Directories
Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores? We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used […]
Disclosure: Remote Code Execution Vuln in Disqus
We recently found a security vulnerability in the Disqus Comment System plugin for WordPress. It could, under very specific conditions, allow an attacker to perform arbitrary remote code execution (RCE). In other words, an attacker can do anything he wants with a vulnerable website. While the flaw itself is very dangerous, it may only be […]
