Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1 (CVE-2019-9787).

This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2019-8943). The vulnerability remained uncovered in the WordPress core for over 6 years.

A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.

The WordPress.org website holds the repositories for all plugins and themes that are used by all WordPress sites. Furthermore, it manages the accounts that developers use to edit the code of their themes and plugins. In this blog post, we investigate a critical stored XSS vulnerability on the WordPress.org website we have reported to the WordPress security team in May 2018.

A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.