Category Archives: Wordpress

Persistent XSS 0day in WordPress

Theres a new vulnerability with WordPress.
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.
Wordpress Team has released a update to solve it.
Update your WordPress immediately!


Who’s affected

If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.



XSS Vulnerability Affecting Multiple WordPress Plugins

*Virtually* everyone is vulnerable!
Backup your WordPress and update your plugins and eventually even your themes now!
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
Some affected plugins:
  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In One SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

You MUST update this plugins since they have been patched this morning!

Rea more on¬†…s-plugins.html


WP-Super-Cache security vulnerability

Since lot of people is using WP-Super-Cache, we would like to advise our clients that WP-Super-Cache has a recent discovered vulnerability.

WP Super Cache, a WordPress plugin, contains a persistent XSS vulnerability in versions prior to 1.4.4. Exploitation of this vulnerability could allow a remote attacker to take control of the affected system.

Users and administrators are encouraged to review the WP Super Cache Changelog for more information and update to version 1.4.4 if affected.



Security Risk: Dangerous
Exploitation level: Very Easy/Remote
DREAD Score: 8/10
Vulnerability: Persistent XSS
Patched Version:  1.4.4



Unrecommended WordPress plugins

WordPress is the most used CMS for blogging and other ends.
It has a infinite number of plugins developed with love!, but some of them can hurt your website performance, SEO, security etc.

Stats Plugins

Theses plugins creates an huge reading and writing on the database.
They create a negative impact on your website’s performance and also affect you SEO.

  • jr-referrer
  • referrer-wp
  • statpress
  • wp-postviews
  • wp-slimstat

You can use any service that records and stores your stats off site.

Like Stats Plugins, theses plugins creates an huge reading and writing on the database besides that they usually use  inefficient queries, poor caching, or poor scaling on large sites.

  • contextual-related-posts
  • fuzzy-seo-booster
  • seo-alrp
  • similar-posts
  • yet-another-featured-posts-plugin
  • yet-another-related-posts-plugin

Any service that handles the relationship logic off-site like


These plugins have associated security issues.

General Performance

These plugins don’t perform well especially on large sites.

  • broken-link-checker
  • google-sitemap-generator
  • adsense-click-fraud-monitoring
    • This can cause performance issues. There are no recommended alternatives at this time.

Important security breach on WordPress and Drupal

A security researcher from’s product security team, Nir Goldshlager (Twitter, blog), has discovered an XML vulnerability that impacts the popular website platforms WordPress and Drupal.

We strongly encourage you to update your WordPress installations immediately.

Continue reading Important security breach on WordPress and Drupal