Author: Dmitrii I

During the testing of the plugin, an RCE (Remote Code Execution) vulnerability was identified, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges. This vulnerability is considered highly critical and poses a significant threat. It stems from the fact that the action=upload_file mechanism checks for files with a .php extension but fails to detect files with .phar or .phtml extensions. This oversight opens the door for an attacker to upload and execute malicious files with .phar or .phtml

During a comprehensive assessment of the Quttera Web Malware Scanner plugin, a significant vulnerability was identified. This flaw allows unauthorized access to detailed scan logs, revealing sensitive information such as local paths and portions of code. The discovery was made through a systematic examination of the plugin’s functionalities.

During routine security testing of the Quttera Web Malware Scanner plugin, a critical vulnerability known as Path Traversal was identified. This flaw permits the unauthorized retrieval of files from locations outside the designated WordPress directory. The issue was discovered through a meticulous examination of the plugin’s functionalities.

During rigorous testing, a critical vulnerability, CVE-2023-5907, was unearthed in the File Manager plugin, version 6.3 and below. This vulnerability exposes a flaw in the plugin’s logic, allowing an unauthorized user to manipulate the root folder, thereby enabling Arbitrary OS File/Folder Access and Path Traversal.

In the process of rigorous testing, a critical vulnerability was unearthed in the Frontend File Manager Plugin, up to version affected, tagged with CVE-2023-5105. This vulnerability opens a path traversal avenue, allowing an attacker to download operating system files, including sensitive ones like wp-config.php. The severity lies in the potential compromise of the entire domain, especially alarming as this can be exploited by a user with Editor privileges.

During the security assessment of the Mmm Simple File List plugin, a critical vulnerability was unearthed in versions up to 2.3. This vulnerability allowed an attacker to bypass the plugin’s directory restrictions, potentially accessing and listing files outside the WordPress root directory. This issue could be exploited by a user with Subscriber privileges.

Age restrictions are a common requirement in various online scenarios, from viewing movie trailers to accessing adult-themed content. Managing age-restricted content on your website is a delicate task, and the “Age Gate” plugin, now at version 3.7.0, offers a solution that not only ensures compliance but also prioritizes security. In this article, we delve into the importance of this plugin, focusing on its security features and its recognition through the “Plugin Security Certification” (PSC).

In the world of WordPress plugins, security isn’t just a matter of protecting against vulnerabilities but also ensuring the smooth operation of your site. The “Wp Maximum Upload File Size” plugin, now at version 1.1.1, is dedicated to enhancing your site’s file upload capabilities without compromising security. In this article, we explore the significance of this plugin, how it addresses upload file size and execution time limitations securely, and its achievement of the “Plugin Security Certification” (PSC).

During a security assessment of the Neon Text WordPress plugin, a critical vulnerability was identified in versions up to 1.1. This plugin, which is designed for adding neon text effects to posts, allowed for a Stored Cross-Site Scripting (XSS) attack via the use of shortcodes. This vulnerability was discovered through rigorous testing and analysis.

The vulnerability, designated as CVE-2023-4799, was unearthed during an evaluation of the “Magic Embeds” plugin for WordPress. The plugin allows users to seamlessly embed a variety of media content into their posts or pages, enhancing the visual appeal and interactivity of their websites.