Learnings from our WordPress Security Month

15 Jan 2019 by Simon Scannell

Advent

Last year in December we released a vulnerability affecting WordPress core or one of the most popular WordPress plugins once per day, next to a critical persistent XSS in wordpress.org. This blogpost will summarize common mistakes developers make and the overall impact our advent calendar had on the WordPress community and the current state of WordPress security.

Read More ...

RIPS 3.0 Supports Java Security Analysis

7 Jan 2019 by Martin Bednorz

RIPS 3.0 user interface

We are excited to start the year 2019 with a new major release and milestone. RIPS 3.0 adds support for analyzing Java code for security and quality issues. Find out more about our unique code analysis approach and other new RIPS features.

Read More ...

Wormable Stored XSS on WordPress.org

24 Dec 2018 by Karim El Ouerghemmi
WordPress.org Stored XSS

Finding a critical vulnerability in one popular WordPress plugin and exploiting it in the wild could allow attackers to easily hijack thousands to millions of websites. An example of this could be observed lately in the case of the popular plugin WP GDPR Compliance. One plugin thus represents a single point of failure for all the websites using it. However, in matters of risk to the WordPress ecosystem, there is something more outreaching than the security of popular plugins: the security of WordPress.org. In this blog post, we investigate a critical stored XSS vulnerability on the WordPress.org website we have reported to the WordPress security team in May of this year.

Read More ...

WordPress Privilege Escalation through Post Types

17 Dec 2018 by Simon Scannell
WooCommerce Object Injection

A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have. This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.

Read More ...

PHP Security Advent Calendar 2018 Announcement

27 Nov 2018 by Dr. Johannes Dahse
PHP Security Advent Calendar

The holiday season is coming up again and it’s time for some security fun. For the third time in a row, we are proud to announce our PHP security advent calendar. This year, we will analyze 24 exciting security bugs that we detected in the most widespread WordPress plugins.

Read More ...