WordPress 5.2.3 has now been released. This is a security and maintenance release features 29 fixes and enhancements and adds several security fixes. These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so we recommend all WordPress-users to upgrade. If you haven’t yet updated to 5.2 yet, there are also updated versions of 5.0 and earlier that fix the bugs for you. Security Updates Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments. Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.[…]

WordPress XML-RPC

What is XML-RPC? According to Wikipedia, XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. WordPress utilizes this XML-RPC that is used to exchange information between computer systems over a network. In short, it is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer or using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT. Pretty damn useful, if you think about it. But that comes at the cost of security risks. Is my WordPress affected ? In the past, there were security concerns with XML-RPC thus it was disabled by default. However Since WordPress 3.5.x, WordPress has had XML-RPC enabled[…]

When it comes to complex password cracking, hashcat is the tool which comes into role as it is the well-known password cracking tool freely available on the internet. The passwords can be any form or hashes like SHA, MD5, WHIRLPOOL etc. Hashes does not allow a user to decrypt data with a specific key as other encryption techniques allow a user to decrypt the passwords. Hashcat uses certain techniques like dictionary, hybrid attack or rather it can be the brute-force technique as well. This article gives an example of usage of hashcat that how it can be used to crack complex passwords of WordPress. Hashcat in an inbuilt tool in Kali Linux which can be used for this purpose. USAGE[…]

API JSON

Since a few weeks we offer an API so you can get notified about new found vulnerabilities on your WordPress website. The first part of our API are outgoing JSON webhooks. Using webhooks you can integrate against other third party services like Slack and Zapier. The hooks is formatted as JSON, example: { “email”: “[email protected]”, “name”: “WPScans”, “reportURL”: “https://wpsec.com/scan/?id=b8af78jrhj2kjfdef33j3j3j”, “status”: “vuln”, “type”: “scan”, “url”: “http://wpsec.com” } Most of the fields are self-explaining. The status field can be no-wordpress, vuln or no-vuln. The fields being sent are: type name reportURL url email status Screenshot from the Dashboard: This new API is available to Premium Subscribers and is still in beta.

Building on the robust infrastructure of WordPress 5.1, another release is in the offing at the end of this month. Perhaps the most crucial thing to note with the new update – WordPress 5.2 – is that all users would have to upgrade their version of PHP to PHP 5.6.20.   Following the release of WordPress 5.1, many users have taken the plunge, updating to more recent PHP versions. So you just might fancy doing same if you’ve not done that to prevent losing out on the latest features to follow WordPress 5.2.  If you’re thinking a manual WordPress update, well that wouldn’t work too. Presently, WordPress recommends that users upgrade to its recommended version – PHP 7.3 And it’s[…]

It has been reported by W3Techs that about one-third of the top ten million sites on the web is powered by WordPress. The WordPress market share has experienced tremendous steady growth in the last few years. There has been an increase from 29.9% to 33.4% within a year. That is a great improvement. The state of things here is quite exciting. We were happy when we first saw 50,000 downloads in 2005, and in January 2011, the project reached another milestone whereby 13.1% of websites were being powered by WordPress. And now, a new record has been set as WordPress is powering 33.4% of the sites. The most recent release, which came out on 21st of February, has been downloaded[…]

WordPress 5.1.1 is now available for automatic upgrade or download. This new WordPress version is a security and maintenance release. The release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in WordPress 5.2 (read more here). The release also includes security fixes that handle how comments are filtered and then later stored in the underlying MySQL-database. With a specific crafted comment, a WordPress post was vulnerable to cross-site scripting attacks (XSS). WordPress versions 5.1 and before are all affected by these security bugs, and are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not updated to 5.1.[…]

The WordPress open-source content management system, CMS, will indicate warning in its backend admin panel whenever the site is being run on an out-of-date PHP version. The plan in place is to make the warnings display for sites making use of a PHP version preceding the 5.6.x branch (<=5.6). There will be an inclusion of a link within the warnings; the link will lead to a WordPress support page containing information that sites owners can follow to update the PHP version in their servers. However, if the owners of the sites are using tightly-controlled web hosting environments to run their WordPress portals, then the web host will be presented with the opportunity of altering this link with a custom URL[…]