- You are here:
- Home ยป
- XSS
Tag Archives for " XSS "
WordPress advisory: Akal premium theme XSS vulnerability & abandonded
Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a SQL injection Denial-of-Service in a later to be disclosed plugin. This post describes the Akal premium WordPress theme XSS vulnerability.
Continue readingXSS Vulnerability in Wordfence 6.1.1 to 6.1.6
Security researcher Kacper Szurek reported a reflected XSS vulnerability in the current version of Wordfence. The CVSS scoring mechanism rates the severity of this XSS vulnerability as medium. A Wordfence update 6.1.7 is released to address the XSS vulnerability.
Continue readingWordPress 4.5.2 Security Release
WordPress 4.5.2 – a security release – is just released tonight. WordPress 4.5.2 fixes a vulnerability through Plupload, the third-party library WordPress uses for uploading files.
Continue readingSecurity Advisory: Stored XSS in Magento
Sucuri reports an stored cross site scripting (XSS) vulnerability in Magento CE <1.9.2.3 and Magento EE <1.14.2.3. This vulnerability affects almost every install of these versions, time to upgrade your Magento webshop!
Continue reading10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows
Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, […]
Continue readingHigh-risk vulnerabilities in TheCartPress leaves WordPress sites at risk
TheCartPress eCommerce Shopping Cart – a popular WordPress e-commerce plugin that is actively used on over 5,000 websites – contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers. Users are advised to disable or remove the plugin.
Continue readingXSS Vulnerability Affecting Multiple WordPress Plugins
Where the Vevida Optimizer WordPress plugin kept plugins on all my WordPress sites up-to-date: Sucuri reports that multiple WordPress plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress. If you haven’t configured automatic updates for WordPress plugins, please update NOW!
Continue readingprettyPhoto DOM based XSS
A nasty DOM based XSS persists in prettyPhoto, a jQuery lightbox clone for images, videos, YouTube, iframes and ajax. Versions 3.1.4 and 3.1.5 still affected by this cross site scripting vulnerability
Continue readingAsp.Net Application Security
Asp.Net Application Security. Ensure that your ASp.NET application is not susceptible to the scripting attacks that are out there
Continue readingWhatWorks in AppSec: ASP.NET Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts
Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts. The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic content being rendered to the browser. These shortcuts provide an easy way to protect against Cross-Site Scripting (XSS) attacks in the newer versions of the .NET framework.
Continue reading7 Tips: .htaccess as Web Application Firewall (WAF) to secure your website
How to use .htaccess as a Web Application Firewall (WAF), and block out exploits and rogue HTTP requests. Sometimes you have no choice but to protect your website yourself, for example if your hosting provider doesn’t offer a Web Application Firewall (WAF) [2] security solution.
Continue reading