Blog Posts - Wordpress Security



WordPress Google Analyticator 6.4.9.3 CSRF

# Title: Cross-Site Request Forgery in Google Analyticator Wordpress Plugin v6.4.9.3 before rev @1183563 # Submitter: Nitin Venkatesh # Product: Google Analyticator Wordpress Plugin # Product URL: https://wordpress.org/plugins/google-analyticator/ #...
by MondoUnix on Jun 24, 2015

WordPress Revslider 4.2.2 XSS / Information Disclosure

| # Title : WordPress Revslider 4.2.2 Multi Vulnerability | # Author : indoushka | # email :indoushka4ever@gmail.com | # Dork : inurl:admin-ajax.php?action=revslider_show_image -intext:"revslider_show_image" | # Teste...
by MondoUnix on Jun 24, 2015

WordPress Front-end Editor File Upload

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require 'msf/core'   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   incl...
by MondoUnix on Jun 24, 2015

WordPress Roomcloud 1.1 Cross Site Scripting

## Details   # Title: Unsanitized parameters in Wordpress Roomcloud plugin v1.1(rev @1115307) allows Cross-site Scripting # Submitter: Nitin Venkatesh <venkatesh [dot] nitin [at] gmail [dot] com> # Product: Wordpress Roomcloud plugin # P...
by MondoUnix on Jun 19, 2015

WordPress Ad Buttons 2.3.1 CSRF / Cross Site Scripting

================================================================ CSRF/Stored XSS Vulnerability in Ad Buttons Plugin ================================================================   . contents:: Table Of Content   Overview ========  ...
by MondoUnix on Jun 19, 2015

WordPress Yet Another Related Posts 4.2.4 CSRF / XSS / Code Execution

Homepage https://wordpress.org/plugins/yet-another-related-posts-plugin/ Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking we...
by MondoUnix on Jun 19, 2015

WordPress Booking Calendar Contact Form 1.0.2 XSS / SQL Injection

# Exploit Title: WordPress Booking Calendar Contact Form 1.0.2[Multiple vulnerabilities] # Date: 2015-05-01 # Google Dork: Index of /wordpress/wp-content/plugins/booking-calendar-contact-form/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-L...
by MondoUnix on Jun 19, 2015

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

Description   "media-file-manager-advanced" suffers from executing administrator actions by any authenticated user due to weak permissions checking. An attacker can delete/update posts, Creating/Removing/Listing Directories, Moving/Renam...
by MondoUnix on Jun 19, 2015

WordPress Encrypted Contact Form 1.0.4 CSRF / XSS

# Title: Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4 # Submitter: Nitin Venkatesh # Product: Encrypted Contact Form Wordpress Plugin # Product URL: https://wordpress.org/plugins/encrypted-co...
by MondoUnix on Jun 19, 2015

WordPress WP Photo Album Plus 6.1.2 Cross Site Scripting

Advisory ID: HTB23257 Product: WP Photo Album Plus WordPress Plugin Vendor: J.N. Breetvelt Vulnerable Version(s): 6.1.2 and probably prior Tested Version: 6.1.2 Advisory Publication: April 29, 2015 [without technical details] Vendor Notification: Apr...
by MondoUnix on Jun 19, 2015

WordPress Church Admin 0.800 Cross Site Scripting

# Exploit Title: Wordpress church_admin Stored XSS # Date: 21-04-2015 # Exploit Author: woodspeed # Vendor Homepage: https://wordpress.org/plugins/church-admin/ # Version: 0.800 # OSVDB ID : http://www.osvdb.org/show/osvdb/121304 # WPVULNDB ID : http...
by MondoUnix on Jun 19, 2015

WordPress NewStatPress 0.9.8 Cross Site Scripting / SQL Injection

# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress" # Author: Adrián M. F. - adrimf85[at]gmail[dot]com # Date: 2015-05-25 # Vendor Homepage: https://wordpress.org/plugins/newstatpress/ # Active installs: 20,000+ # Vulnerable...
by MondoUnix on Jun 19, 2015

Protect your WordPress Blog from DDOS and Security Attacks

This is guest article from Caroline Black. No matter what, you own a world class website or a simple blog – hackers and attackers will always be against you, trying to access your backend and modifying it according to their needs. Daily hundreds of...
by MY DIGITAL NOTEBOOK on Jun 18, 2015

WordPress Users To CSV 1.4.5 Cross Site Request Forgery

# Title: Cross-Site Request Forgery Vulnerability in Users to CSV Wordpress Plugin v1.4.5 # Submitter: Nitin Venkatesh # Product: Users to CSV Wordpress Plugin # Product URL: https://wordpress.org/plugins/users-to-csv/ (disabled) # Plugin SVN URL: ht...
by MondoUnix on Jun 18, 2015

WordPress Freshmail 1.5.8 SQL Injection

------------------------ ISSUE 1:     # Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://fresh...
by MondoUnix on May 15, 2015

WordPress Ultimate Product Catalogue 3.1.2 SQL Injection

-------- ISSUE 1:   # Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate Product Catalogue wordpress plugin # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue" intext:"Category", inurl:&...
by MondoUnix on May 15, 2015

WordPress RevSlider 3.0.95 File Upload / Execute

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require 'msf/core'   class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking   incl...
by MondoUnix on May 15, 2015

WordPress Yoast Google Analytics Cross Site Scripting

OVERVIEW ==========   Google Analytics by Yoast is one of the most popular WordPress plug-ins with over 7 million downloads and "1+ million" active installs. Last month Yoast patched a stored XSS we reported in the plug-in. Shortly after...
by MondoUnix on May 9, 2015

WordPress WooThemes WooFramework 4.5.1 Cross Site Scripting

------------------------------------------------------------------------------ WooThemes WooFramework 4.5.1 Authenicated Cross Site Scripting (XSS) ------------------------------------------------------------------------------   [-] Vulnerabilit...
by MondoUnix on May 9, 2015

WordPress 4.2 Cross Site Scripting

*Overview* Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.   If triggered by a logged-in administrator, un...
by MondoUnix on May 9, 2015


Trending Topics

Close