Trojan Spyware and BEC Attacks

http://feedproxy.google.com/~r/sucuri/blog/~3/7CWjK9uypZA/trojan-spyware-and-bec-attacks.html

When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more effective phishing campaigns with serious security implications. Continue reading Trojan Spyware and BEC Attacks at Sucuri Blog.

The Month in WordPress: February 2021

https://wordpress.org/news/2021/03/the-month-in-wordpress-february-2021/

You don’t have to be rich to have an online presence. You don’t have to find loopholes in proprietary platforms and hope that they never change their terms of service. You own all of the content that you create on a WordPress site and have the liberty to move it to a new host if you need to, or switch your theme if it fits your mood. That was Josepha Haden Chomphosy on WordPress is Free(dom) episode of the WP Briefing Podcast, speaking about the four freedoms of open-source software. Those four freedoms are core to how WordPress is developed. […]

WordPress Vulnerability Roundup: March 2021, Part 1

https://ithemes.com/wordpress-vulnerability-roundup-march-2021-part-1/

New WordPress plugin and theme vulnerabilities were disclosed during the first week of March. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System. In the March, Part 1 Report WordPress Core Vulnerabilities No new WordPress core vulnerabilities have been disclosed this month. WordPress Plugin Vulnerabilities […]

Medium Severity Vulnerability Patched in User Profile Picture Plugin

https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin/

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information. We initially reached out to Cozmoslabs, the plugin’s vendor, on February 15, 2021 through their contact form. On February 17, 2021 Cozmoslabs confirmed the inbox for handling discussion and we sent over the full disclosure details. Just a day later we received a response from the plugin’s original developer along with a […]

WordPress 5.7 Release Candidate 2

https://wordpress.org/news/2021/03/wordpress-5-7-release-candidate-2/

The second release candidate for WordPress 5.7 is now available! You can test the WordPress 5.7 release candidate in two ways: Try the WordPress Beta Tester plugin (choose the “Bleeding edge” channel and Beta/RC Only” stream options) Or download the release candidate here (zip). Thank you to all of the contributors who tested the Beta/RC releases and gave feedback. Testing for bugs is a critical part of polishing every release and a great way to contribute to WordPress. Plugin and Theme Developers Please test your plugins and themes against WordPress 5.7 and update the Tested up to version in the readme file to 5.7. If you […]

WordPress Plugin: Disable WP Robots

https://perishablepress.com/wordpress-disable-wp-robots/

WordPress 5.7 features a new Robots API that provides filter-based control over the robots meta tag. So if your site is running WordPress 5.7 or better, you will notice a new <meta> tag included in the <head> section of your web pages. By default, the meta tag added by WordPress has a value of max-image-preview:large, which is fine IF it is the only robots meta tag on the page. If your site already has its own meta robots tag, then there will be duplicate tags, which is dubious at best. Ideally for optimal SEO, you want only ONE robots meta […]

Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

https://www.wordfence.com/blog/2021/02/episode-106-admin-password-resets-blockchain-botnets-and-a-central-management-rce/

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of […]

SQL Triggers in Website Backdoors

http://feedproxy.google.com/~r/sucuri/blog/~3/YO_WM-0196E/sql-triggers-in-website-backdoors.html

Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met. What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables  — for example, wp_users, wp_options, and wp_posts. Continue reading SQL Triggers in Website Backdoors at Sucuri Blog.

Did You Know About Reusable Blocks?

https://wordpress.org/news/2021/02/gutenberg-tutorial-reusable-blocks/

Created by Joen Asmussen, @joen The WordPress block editor (a.k.a. Gutenberg) comes with a feature called “reusable blocks.” They are blocks, saved for later, edited in one place. Have you ever wanted to: Re-use the same snippet of text across posts and pages? Save complex layouts to spare you having to copy/paste from one post to another? Reusable blocks can do these things. Like templates, you mean? Not quite. Think of reusable blocks as snippets of globally synchronized content that are personal to you. You can edit all your reusable blocks in one place, and any post or page you […]

WordPress Maintenance Release — 5.6.2

https://pagely.com/blog/wordpress-maintenance-release-5-6-2/

Pagely customers were spared issues from bugs introduced in the 5.6.1 release. All our customers without version hold are being upgraded over these next two days, the vast majority are […]