WordPress released version 5.5.2 yesterday, which fixed a reflected XSS vulnerability we reported earlier this year. The root cause of this issue is a bug in the way WordPress determines a user’s current page, and which may cause a few other problems as well. Are You Affected? This vulnerability is exploitable on every WordPress site […]
Archive by Author
Bridging the Gap Between Application and Network Security with CleanBrowsing
When we started Sucuri we set out to make enterprise security accessible, affordable, and effective for every day webmasters. It was at a time when open-source platforms like WordPress, Joomla!, Drupal, and others were changing the web landscape. With them came an entirely new generation of administrators who had no idea that they were now […]
5 Places Where You’d Never Expect to Get Hacked
For every gleaming new IoT device that hits the market, a hacker somewhere is figuring out how to compromise it. Today, even routine activities can land you in the sights of a bad actor. Imagine what a bad day could look like in these days of ubiquitous connectivity… it’d play like some dystopian grindhouse film. […]
P.A.S. Fork v. 1.0 — A Web Shell Revival
A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily available) PHP web shells do the job, there’s no need […]
Password Security & Password Managers
In the spirit of National Cyber Security Awareness Month (NCSAM), let’s talk about a security basic that many people overlook: passwords. These are one of the most fundamental aspects of website security, yet we too often see webmasters taking a lax approach to secure passwords. In fact, the online security provider TeamPassword found that last […]
R_Evil WordPress Hacktool & Malicious JavaScript Injections
We often see hackers reusing the same malware, with only a few new adjustments to obfuscate the code so that it is more difficult for scanning tools to detect. However, sometimes entirely new attack tools are created and deployed by threat actors who don’t want to rely on obfuscating existing malware. Confusing Name – R_Evil […]
A Quick Glance at Cross-Origin Resource Sharing Security Headers
Thanks to the rapid growth of JavaScript frameworks such as Angular, Vue, and React, CORS has become a popular word in the developer’s vocabulary. When requesting information from an external source such as an API (a pretty common practice for client-side JavaScript code), the origin of the resource must tell the web browser which domain, […]
Securing Your Online Store for the Holidays
Shopping season is here, and so is the opportunity for ecommerce site owners to grow their business and generate revenue. In lieu of the changing global ecommerce climate that this pandemic has produced, comes the importance of securing your website to protect your users — and your revenue streams. Your online customers depend on you […]
Sucuri Sit-Down Episode 4: XSS & WP Plugin Vulnerabilities with Antony Garand
October is National Cyber Security Awareness Month, and we’re back with analyst Antony Garand to take a deeper look into cross site scripting (XSS) attacks and WordPress plugin vulnerabilities. Plus, host Justin Channell will catch you up on the latest website security news from the Sucuri blog. For further reading about any of these topics, […]
Magento Phishing Leverages JavaScript For Exfiltration
During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page. What is not immediately visible or apparent to victims, however, […]
