Creative Phishing for Digital Gold on RuneScape

Creative Phishing for Digital Gold on RuneScape

RuneScape is an extremely popular massive multiplayer online game. With over 200 million generated accounts, its claim to fame is that it’s one of the largest free MMORPG’s ever created. At the current time of writing, 1 million in-game gold pieces is valued at around $0.60 USD on the black ... Read More
Why Hackers Create Phishing Campaigns

Why Hackers Create Phishing Campaigns

Phishing is a malicious attempt to obtain personally identifiable information of a victim. The first thing to keep in mind about phishing is the goal of the attackers. In the first post of this series, we have explained how to recognize a phishing campaign. Today, we will focus on the ... Read More
How to Recognize a Phishing Campaign

How to Recognize a Phishing Campaign

Phishing attacks and campaigns have always been a hot topic in online security. With many posts tagged as “phishing” on our blog — the first one being over nine years old now — we’ve seen our fair share of phishing attempts. In this post, we’ll cover the signs of a ... Read More
WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations

The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7. This vulnerability can only be exploited under certain configurations—the default settings are not vulnerable. Timeline 2019/06/26 – Initial contact to the developer. 2019/06/27 – Response ... Read More
Slimstat: Stored XSS from Visitors

Slimstat: Stored XSS from Visitors

The WordPress Slimstat plugin, which currently has over 100k installs, allows your website to gather analytics data for your WordPress website. It will track certain information such as the browser and operating system details, plus page visits to optimize the website analytics. Versions below 4.8.1 are affected by an unauthenticated ... Read More
WordPress Plugin Give – Stored XSS for Donors

WordPress Plugin Give – Stored XSS for Donors

​​Give is a WordPress plugin which allows users to setup a donation page on a website. It currently has 60k installs. ​​During a recent audit of the plugin, we found a severe vulnerability which allows donors to inject arbitrary code on an administrative page. ​​If you are using a version ... Read More
Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

Multiple Vulnerabilities in the WordPress Ultimate Member Plugin

The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover. All of our clients behind our website firewall are already protected, and are ... Read More