state of security in the WordPress ecosystem
06.07.2022A few weeks ago, I did some small security audits of WordPress plugins and the result is not great.
you shall pass - secret login URL leaked by WordPress-Plugin
11.12.2021It only needs some creativity to bypass the security measures of a WordPress plugin, that tries to hide your login URL.
millions of WordPress websites publicly exposed
16.07.2021Every day attackers are scanning the internet for vulnerable WordPress websites and we can often see corresponding probing requests on most websites, even if they do not use WordPress.
target="_blank" considered harmful
30.08.2020Often links can be abused to take control of pages. This is a problem that is known for a very long time but it seems many developers are not aware of this or forgot about this.
don't blindly trust FILTER_VALIDATE_URL
25.05.2020Valid URLs can use a wide range of different protocols. This requires strict validation of user supplied URLs combined with correct checks. Too lax or wrong checks can quickly lead to vulnerabilities.
binary planting and arbitrary file (over)write vulnerabilities in npm, pnpm and yarn
12.12.2019npm, pnpm and yarn were vulnerable to binary planting and arbitrary file (over)write through the bin field in package.json.
post mortem: hacked WordPress with a cryptominer (2018)
15.06.2019This is a post mortem report of a hacked WordPress instance with a cryptominer in 2018 which was handled by me.
post mortem: spam attack (2018)
09.06.2019This is a post mortem report of a contact form spam attack in 2018 which was handled by me.