11 Apr

Not Every Report of a WordPress Plugin Vulnerability Involves a Real Vulnerability

In our dealing with hacked websites we have recently been working with quite a few people that have come to us after trying to do some work to figure out the source of the hack themselves. They will bring up that they have found reporting that software on the website has had vulnerabilities and those might [Read more]

04 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Event Calendar (Spider Event Calendar)

We recently discovered the WordPress Event Calendar (Spider Event Calendar) plugin had a reflected cross-site scripting (XSS) vulnerability. In version 1.5.38, and all previous versions, the file /nav_function/nav_html_func.php was echoing a POST variable without escaping it. That occurred on line 88: <input type=”hidden” id=”serch_or_not” name=”serch_or_not” value=”<?php if(isset($_POST[“serch_or_not”])){ echo $_POST[“serch_or_not”];}  ?>”    /> Proof Of Concept The following proof of [Read more]