WordPress Privilege Escalation through Post Types

17 Dec 2018 by Simon Scannell
WooCommerce Object Injection

A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have. This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.

Read More ...

PHP Security Advent Calendar 2018 Announcement

27 Nov 2018 by Dr. Johannes Dahse
PHP Security Advent Calendar

The holiday season is coming up again and it’s time for some security fun. For the third time in a row, we are proud to announce our PHP security advent calendar. This year, we will analyze 24 exciting security bugs that we detected in the most widespread WordPress plugins.

Read More ...

Pydio 8.2.1 Unauthenticated Remote Code Execution

13 Nov 2018 by Simon Scannell, Robin Peraglie
Pydio Object Injection to RCE

Pydio is a popular file sharing solution used by enterprises and governments around the world. It suffered from a highly critical vulnerability that allowed unauthenticated attackers to compromise the entire file sharing server and to execute arbitrary code on the remote machine. Find out more about the impact and technical details in our blog post.

Read More ...

WordPress Design Flaw Leads to WooCommerce RCE

6 Nov 2018 by Simon Scannell
WordPress

A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.

Read More ...

WordPress Configuration Cheat Sheet

31 Oct 2018 by Nils Werner

WordPress Configuration Cheat Sheet

WordPress is the most frequently installed web application in the world. The system is operated not only by experienced developers but also by beginners. In this blog post, we summarize what to look out for when configuring your WordPress installation’s security.

Read More ...