Reflected XSS in WordPress Plugin Admin Pages

The administrative dashboard in WordPress is a pretty safe place: Only elevated users can access it. Exploiting a plugin’s admin panel would serve very little purpose here — an administrator already has the required permissions to do all of the actions a vulnerability could cause.

While this is usually true, there are a number of techniques bad actors are using to trick an administrator into performing actions they would not expect, such as Cross Site Request Forgery (CSRF) or Clickjacking attacks. By using these techniques, an attacker can exploit a vulnerability on the behalf of an…


More Info

Brandezk Launches Ecommerce Development on Shopify, Magento, and WordPress

NEW YORK, Sept. 07, 2020 (GLOBE NEWSWIRE) — Brandezk, a renowned web design agency, recently announced the introduction of E-commerce development services on its website. The company announced its development services for several platforms, including Shopify, Magento, WordPress, and also announced the development of 100% made-to-order E-commerce stores for clients having custom needs.

The company has specialized in providing mobile app development services for years. The recent shift in the company’s modus operandi, as stated by the managing director of the company, was made ‘in…


More Info

Millions of WordPress sites are being probed & attacked with recent plugin bug

Millions of WordPress sites have been probed and attacked this week, Defiant, the company behind the Wordfence web firewall said on Friday.

The sudden spike in attacks happened after hackers discovered and started exploiting a zero-day vulnerability in “File Manager,” a popular WordPress plugin installed on more than 700,000 sites.

The zero-day was an unauthenticated file upload vulnerability[12] that allowed an attacker to upload malicious files on a site running an older version of the File Manager plugin.

It’s unclear how…


More Info

WordPress Support Team Seeks to Curb Support Requests for Commercial Plugins and Themes – WordPress Tavern

WordPress’ Support Team contributors are discussing how they can curb support requests for commercial products on the official WordPress.org forums. Users sometimes seek help for commercial product upgrades on the forums of the free version, not knowing that the moderators’ official policy is to refer them to the extension’s commercial support channel. In other instances, it is not immediately clear whether the issue is with the free version or a paid upgrade that the user has installed.

“This has come up a few times the past weeks, mostly in relation to plugins that…


More Info

Gutenberg 8.9 Brings Block-Based Widgets Out of the Experimental Stage – WordPress Tavern

On Wednesday, September 2, Gutenberg 8.9 launched with a set of new features, enhancements, and several bug fixes. The development team took the block-based widgets system out of its experimental stage, making it the default experience for all plugin users.

Block-based widgets have taken months upon months of work. The team has surpassed some of my expectations by essentially sticking a square peg into a square hole, granting the power of blocks to the sidebars/widgets system. On the whole, the system works. However, the team still has a lot of work to mold this feature into the…


More Info

Benefits of WordPress – Business 2 Community

So, you’re looking for a Content Management System (CMS) for your website? Well, you’re in luck because there are so many options to choose from. You’re probably thinking, how can I possibly choose which one to use when they’re all telling me why their CMS is the best choice? Begin by asking yourself the following questions:

  • What’s going to be the best option for my website?
  • Do I play the short game or do I look at the long term?
  • What about ease of use?
  • Will I be able to make changes myself or am I going to have to hire to get everything done?
  • Will I be able to create my website…

More Info

WordPress Gets a Name, Joomla Is Feature-Complete & More Open Source CMS News



PHOTO:
Kat Coffe

WordPress announced that the new version of its CMS, WordPress 5.5 will now be called Eckstine in honor of Billy Eckstine, one of the most renowned jazz singers in the US. The update aims at improving the CMS in three areas: speed, security and search. 

Among its features, WordPress 5.5 now makes faster page loading possible thanks to a concept known as “lazy loading.” At the same time, the new version also helps the overall website SEO by including an improved XML sitemap that enables search engines to discover websites quicker. Also, with 5.5, users can now set…


More Info

WordPress Plugin Authors Should Avoid Confusing Users When Naming Blocks – WordPress Tavern

On May 4, the StudioPress development team made a small but significant user-facing change to its Atomic Blocks plugin (now rebranded to Genesis Blocks). It removed the “AB” branding from its block titles. This minor update changed block titles such as AB Accordion and AB Button to Accordion and Button, respectively. On the surface, this change probably seemed of little consequence to the developers on the project. However, for at least one user, it created a massive workload.

Unless users religiously followed the GitHub code commits, they would have missed this update. Stacked…


More Info

Critical Vulnerability in File Manager Plugin Affecting 700k WordPress Websites

Security Risk: High

Exploitation Level: Easy

DREAD Score: 9.8

Vulnerability: File upload

Patched Version: 6.9

Yesterday, the WordPress plugin File Manager was updated, fixing a critical vulnerability allowing any website visitor to gain complete access to the website.

Users of our WAF were never vulnerable to this exploit. The Sucuri firewall blocks malicious payloads by default using our generic exploitation rules.

Technical Details

The vulnerability originated from the remains of a development environment on version 6.4 nearly 4 months ago, where a file was renamed to test certain features. The…


More Info