Login

Tag Archives: WordPress Penetration Testing

17 May 2023

Vulnerability Assessments and Penetration Testing Are Not Essential for Addressing Security Risks on WordPress Websites

A recent SecurityWeek headline claimed that a Ferrari website was put at risk by a WordPress plugin: “WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers”. While a WordPress plugin was involved, it shouldn’t have been the focus of the headline. Instead, a failure by Ferrari to do basic security was the real cause of the issue.

The body of the story gets closer to the truth as it says that the vulnerable Ferrari website was “running a very old version” of the vulnerable plugin in question. How old? It doesn’t say. The closest it gets to that is mentioning a CVE id, CVE-2019-6715, which suggests this might be a vulnerability from 2019. The CVE record says that the vulnerability impacts versions “before 0.9.4”. Version 0.9.4 of the plugin was released on April 4, 2014. So Ferrari hadn’t updated the plugin in nine years. [Read more]

20 Sep 2022

How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing

Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get much attention, the current method of threat testing is both much more expensive than it needs to be and not very effective. The story mentioned a chief information security officer of a company that changed course after a ransomware attack two years ago that found that changing had this impact:

the price was cheaper than employing so-called penetration testers, who do similar work but less regularly and effectively [Read more]