12 Sep

WordPress Security Plugins Provide Little to No Protection Against Recently Discovered Persistent XSS Vulnerability

In the past few months we have done several one off tests of WordPress security plugins to see if they could prevent exploitation of a vulnerability in a plugin. We tested an extraordinary claim by Wordfence that their plugin could prevent persistent cross-site scripting (XSS) and found that it failed both with a vulnerability that [Read more]

06 Sep

Yet Another Very Vulnerable Plugin Returned to The WordPress Plugin Directory Without Actually Being Fixed

When it comes making sure that vulnerabilities in WordPress plugins get fixed we play important role in making that happen, but we are having to play an outsized role because others are not doing their part, which has once again lead to websites remaining vulnerable to being hacked for much longer than they should have [Read more]

29 Aug

Persistent Cross-Site Scripting (XSS) Vulnerability in WP-Piwik

As we continue to review old third-party data on hacking attempts to identity more vulnerabilities that hackers have likely already discovered in WordPress plugins we spotted a persistent cross-site scripting (XSS) vulnerability in the plugin WP-Piwik. Back in January a request was made for the file /wp-content/plugins/wp-piwik/js/wp-piwik.js, for what was may have been a probe for usage of the plugin [Read more]