Get started today. Now with 10-16% off!

Get started

Security Blog

Cross-Site Scripting Vulnerability in Download Manager Plugin <= 3.2.42

Jun 7, 2022 |

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting. Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can...

read more

WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Mar 10, 2022 |

On March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. Because this is a security release, it is recommended that you update your sites immediately. Note, that in order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service. WordPress < 5.9.2 -...

read more

Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin <= 13.1.5

Feb 7, 2022 |

On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query and affected versions are <= 13.1.4. This could be used to extract sensitive information like password hashes and secret keys from the database. Later on a new vulnerability has been discovered by Muhammad Zeeshan for versions <= 13.1.5 (including the patched...

read more

What Is Prototype Pollution

Jan 10, 2022 |

Prototype Pollution Bugs Prototype Pollution is a vulnerability that allows attackers to exploit the rules of the JavaScript programming language, by injecting properties into existing JavaScript language construct prototypes, such as Objects to compromise applications in various ways. JavaScript allows all Object attributes to be altered. This includes their magical attributes such as __proto__, constructor and prototype. An attacker is able to manipulate these attributes to overwrite, or pollute a JavaScript application object prototype of the base object, by injecting other values....

read more

What Is Remote Code Execution

Nov 18, 2021 |

Improper Control of Generation of Code ("Code Injection") The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. When software allows a user's input to contain code syntax, it might be possible for an attacker to craft the code in such a way that it will alter the intended control flow of the software. Such an alteration could lead to arbitrary code execution. Injection problems encompass a...

read more

What Is Improper Input Validation

Aug 18, 2021 |

Improper Input Validation Bugs The software receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts...

read more

What Is Cross-site Scripting (XSS)

Jul 12, 2021 |

Improper Neutralization of Input During Web Page Generation The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Cross-site scripting (XSS) vulnerabilities occur in specific conditions Untrusted data enters a web application, typically from a web request. The web application dynamically generates a web page that contains this untrusted data. During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as...

read more

What Is SQL Injection (SQLi)

May 24, 2021 |

Improper Neutralization of Special Elements used in an SQL Command The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to...

read more

Standard Plan

$6999USD/m NOW $58/m89/m
billed yearly or $99 $89 month-by-monthmonthly and $149 set-up fee

WordPress Maintenance and Security Updates

We will update your WordPress core, plugins and themes constantly plus you will get 20 more security features.

Save $360/yearly (30%)
and avoid $149 set-up fee!
Save additional 1610% NOW!

Pay $699 yearly ($58/month)Pay $238 now, $89 monthly afterwards

Sign Up Now

Available for websites with themes and plugins from WordPress.org repository only.

Check Our Plans

Sign up for the security newsletter

Terms and Conditions - Privacy Policy