17 Feb: Another WordPress commercial plugin gets exploited

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…


16 Feb: First Drupal Security Update issued for 2019

Drupal is an open source Content Management System (CMS) which is free to download and use; it allows you to create and manage websites, intranets, and web applications without writing any code. It is used often among global enterprises, governments, higher education institutions, and NGOs.


06 Feb: Exploit discovered in phpIPAM IP management software

phpIPAM is a popular open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management. It is php-based application with MySQL database backend, using jQuery libraries, ajax and HTML5/CSS3 features. A vulnerability in phpIPAM version 1.3.2 and earlier was found that…


03 Feb: Media File Manager plugin for WordPress exploited

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed.


30 Jan: WordPress Users Urged to Delete Total Donations Plugin

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…


29 Jan: New Evolution skin for DirectAdmin

After 2 1/2 long years of development, the long awaited Evolution skin for the DirectAdmin control panel has now finally reached Release Candidate (RC) status and is from today available in DirectAdmin for our hosting clients. Evolution sports a modern design and is written in AJAX. It has support…


24 Jan: WordPress plugin Spambyebye vulnerable

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…


23 Jan: PHP PEAR package manager and website compromised

Important: If you have downloaded the PHP PEAR package manager from its official website in the past 6 months, is it possible that your server has been compromised. PEAR, which stands for “PHP Extension and Application Repository,” is a community-driven framework and is the first package manager that was…