WordPress Flaws and Vulnerabilities

Recently around april, 19th 2016, iThemes Security got patched against a vulnerability discovered by our team, a lack of capability check, allowing any member with any role to perform an Administrator action.

BJ Lazy Load is a plugin to differ the image loads, available for free on the official WordPress repository and he’s using TimThumb. On 1st september 2015, we did some research about Laly loading plugins and we finally discovered that this plugin, BJ Lazy Load v 0.7.5, was using an outdated version of TimThumb, this famous script which is still responsible of […]

WPML contains a XSS flaw since v2.9.3

In date of 26th june 2015, i doscovered the plugin WP Rollback. This plugin allow you to install an older version of one of your plugins from the official repository. Since i wanted to use this plugin, i had to check its security. Remember that if i don’t do that, then i have to remember that installing a plugin is like include […]

WooCommerce 2.3.10 Yesderday, 10th,  june 2015, WooCommerce has been patched from a vulnerability called “Object Injection“. We already seen this flaw in WordPress < 3.6.1 but here with a very high risk level, un WP from whom it was almost a null risk. The risk does not depend on the fault itself, but several criteria assessed and calculated […]