Security Advisory

Vulnerability & Patch Roundup — June 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this

[ Read More ]

Critical RCE Vulnerability in Elementor WordPress Plugin

Security Risk: High Exploitation Level: Easy CVSS Score: 9.9 Vulnerability: Remote code execution (RCE) Patched Version: 3.6.3 On April 12th, an important security update was released for the Elementor plugin patching a critical remote code vulnerability which allows all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a vulnerable website. This

[ Read More ]

Adobe Patches Critical RCE Vulnerability in Magento2

On Sunday, February 13th, Adobe pushed an emergency update to their Magento2 ecommerce software patching a critical unauthenticated remote code execution vulnerability. It is marked as CVE-2022-24086 with a CVSS score of 9.8. Website administrators of Magento stores should patch immediately. Shop owners of Magento 2.3 or 2.4 stores can find the patch to install

[ Read More ]

AccessPress Themes Hit With Targeted Supply Chain Attack

Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers

[ Read More ]

WordPress 5.8.3 Security Release

On January 6th, Automattic released an important security update for the WordPress core which addresses four separate vulnerabilities. WordPress website administrators are advised to update their websites immediately. All WordPress versions between 3.7 and 5.8 are affected by this, and the security issues include SQL injection, stored XSS and object injection, which we will review

[ Read More ]

Log4j Vulnerability: The Perfect Holiday Present that Nobody Wants

A critical server security vulnerability in the Java logging library Log4j is taking the internet by storm because code to actively exploit this vulnerability is already widely distributed across the web. Originally found on the popular game Minecraft, it has since been shown to affect most web servers running Apache along with its ubiquitous logging

[ Read More ]

Adobe Patches Critical Magento Vulnerabilities in Recent Update

Adobe has recently released several critical security patches for both their open source and commercial versions of their ecommerce platform. There are a total of 18 security vulnerabilities patched according to Adobe, although they list only 16 specific issues in the patch notes. Eleven of these issues are considered critical and five considered important, ranked

[ Read More ]

PHP Repository Exploited by Hackers

The official PHP git repository, http://git.php.net/, was compromised this Sunday, March 28. An attacker was able to modify the PHP source code twice and inject a backdoor into it. Thankfully, both attempts were quickly detected and removed by the PHP team. Per a statement released in PHP’s internal mailing list, the current investigation believes the

[ Read More ]

How Do Websites Get Hacked?

As much as the web has grown, surprisingly not a lot has changed in how websites get hacked. The most important thing you can do in keeping the web – and your own sites and visitors – safe is to understand these unchanging truths and hold them close to heart. Consider the Scale of Hacked

[ Read More ]

UCEPROTECT: When RBLs Go Bad

Realtime Blackhole Lists (RBLs) can be a great tool in your security arsenal. You may not know you’re using them, but all email providers and company email servers leverage these services to verify whether servers and IP addresses are sending spam or other abusive content against a known list of offenders. These services use a

[ Read More ]