Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability wptavern.com/ultimate-membe…

Email Leak Oracle Vulnerability Addressed in WordPress 6.3.2 #wordpress #security wpscan.com/blog/email-lea…

A thought for all those Object Injection flaws marked as "potentially" exploitable over the past few years. Life truly is a CTF. #wordpress #security

#phpggc: Our pentester Raphaël Dray just implemented a Gadget Chain for #Wordpress core, as per the article from WPScan - WordPress Security wpscan.com/blog/finding-a… github.com/ambionics/phpg…

Our researchers found a serious SQL Injection vulnerability in the WP Fastest Cache plugin. It was fixed in the recent 1.2.2 update. Make sure to update now! wpscan.com/blog/unauthent… #wordpress #security

Expecting to struggle finding a gadget chain in WordPress Core during an assessment when devs suddenly decided to make it easy : fenrisk.com/publications/b…

CVE-2023-49103: this analysis by GreyNoise is erroneous. The exploit WORKS with default configuration, even on docker installs. Please patch.

Learn about the two @Owncloud vulnerabilities CVE-2023-49103 and CVE-2023-49105 in our new blogpost: ambionics.io/blog/owncloud-…

Our researchers found a Pre-Auth Stored XSS vulnerability in the Popup Builder plugin (200k+ active installs). It was fixed in the recent 4.2.3 update. Make sure to update now! #wordpress #security wpscan.com/blog/stored-xs…

Our researchers found a Pre-Auth Stored XSS vulnerability in the WP Go Maps plugin (formerly known as WP Google Maps, 400k+ active installs). It was fixed in the recent 9.0.28 update. Make sure to update now! #wordpress #security wpscan.com/blog/stored-xs…

Automattic is expanding the Jetpack and WPScan Security Research team, if you like to break PHP code and investigate malware fill out the interest form here: lnkd.in/dhFFArc9 #hiring #wordpress #securityresearch #remotejobs

Balada Injector: analysis of the initial and secondary infections. Domains: *.specialcraftbox[.]com and *.greenfastline[.]com (more in the post) Vulnerable plugin: Popup Builder. Thanks @marcs0h for the help with understanding the vuln

🔥Multiple XSS vulnerabilities in popular CMS Joomla! (CVE-2024-21726) 🔥 PHP bug could be used to bypass sanitization - We just disclosed the technical details behind the recent Joomla vulnerability: sonarsource.com/blog/joomla-mu…

The first part of the blog series: #Iconv, set the charset to RCE. We'll use #PHP filters and #CVE-2024-2961 to get a very stable code execution exploit from a file read primitive. #cnext

Our researchers found a Pre-Auth Object Injection vulnerability in the SEOPress plugin (300k+ active installs). It was fixed in the recent 7.9 update. Make sure to update now! #wordpress #security wpscan.com/blog/object-in…

MOTD: Reinventing the wheel only works if it's circle-shaped. (Love uncovering relatively uncommon antipatterns like this.) #wordpress #security

It's so cool to see so many people participate in our #WCUS WordPress CTF. Marc Montpas from Jetpack is currently leading the competition! 😎 You can see the live scoreboard here: ctf.patchstack.com/scoreboard

This looks nicely written: ifixit.com/News/112008/po…

Guess it's that time of the year again. :-) #aws #down #dns on.soundcloud.com/E0EU6y4q3V2L18…

Probably not. Prompting an LLM with natural language is inherently lossy and ambiguous. Up to this point, programming has always been deterministic: Your code does what you say it should do otherwise, it’s a bug. Coding agents break that contract. blog.trailofbits.com/2025/12/19/can…