SQL Injection Vulnerability in NextGEN Gallery for WordPress

A WordPress NextGEN Gallery plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website’s database. Technical Details Vulnerability can be exploited by attackers in at least two different scenarios: First scenario The first attack scenario can happen if a WordPress … Read more

RCE Attempts Against the Latest WordPress API Vulnerability

We are see remote command execution (RCE) attempts trying to exploit the latest WordPress API Vulnerability. The attackers trying to exploit sites that have plugins like the Insert PHP, Exec-PHP and similar installed plugins. These plugins, allow users to insert PHP code directly into the posts as a way to make customizations easier. Coupled with … Read more

Content Injection Vulnerability in WordPress 4.7.x API

A new dangerous content injection vulnerability has been discovered in the WordPress CMS, it is a zero-day content injection flaw in the WordPress REST API. A fix for this was silently included on version 4.7.2 along with other less severe issues. Introduction This privilege escalation vulnerability affects the WordPress REST API that was recently added … Read more

php fwrite base64 decode

An attacker trying hide malware, before it’s uploaded, fwrite to server and executed. This attacks type uses Cross-Site Request Forgery & Remote Content Execution vulnerability together (CSRF & RCE vulnerability) It’s also base64 encoded content, so it’s more difficult find with scanners. Example – fwrite & base64_encoded malware base64_decode malware When malware uploaded to server … Read more

gzpdecode.php

WordPress Vulnerability in Cherry Plugin – Arbitrary File Upload The Vulnerability allow an attacker to upload all types of files without administrator login. /wp-content/plugins/cherry-plugin/admin/import-export/upload.php This is fixed latest version of Cherry Plugin, but all customers won’t update their website and files. Interesting comes heres, botnetwork search this old vulnerability and if found they upload malware … Read more

yiw_contact sendemail file upload vulnerability

Looking better POST payload, header looks normal request: In the below HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload WordPress Vulnerability which is literally as simple as posting your backdoor file to the contact field via … Read more

work1.php

This is old Arbitrary File Upload Vulnerability in Cherry Plugin (Worpdress). Malware tries patch .htaccess files and add own redirect that file. When a user access website with correct browser, then redirect activates and redirect user to another page. Last malware unlink (removes) itself. Full sourcecode

Joomla – Account Creation & Elevated Privileges

Introduction Joomla published version 3.6.4, an update to patch security issues: – [CVE-2016-8870] – Core – Account Creation (High Priority): attackers can exploit this vulnerability to create any account in a Joomla system regardless of whether its registration has been disabled. (affecting Joomla! 3.4.4 through 3.6.3) – [CVE-2016-8869] – Core – Elevated Privileges (High Priority): … Read more

Modules Simple Spotlight Upload

Simple spotlight is a jQuery image rotator with navigation. You can have up to 20 images with links. You can turn off the navigation and choose between 27 effects for transition. It also has 5 button styles and a shadow effect. (Read More) Description Uploaded files represent a significant risk to applications. The first step … Read more

Bot Network Scanners Activated

During analysis of our logs we noticed that an automated attack against PHP is going on, using a vulnerability in PHP. Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this). POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E Decoding the URL gives: Using -d parameter … Read more