Skip to main content

WordPress Common Issue Notes

 WordPress:


/wp-content/plugins/sfwd-lms/wpml-config.xml


/wp-content/plugins/omni-secure-files/plupload/examples/upload.php


/wp-content/plugins/contus-hd-flv-player/uploadVideo.php


wp-json/th/v1/user_generation


/wp-admin/admin-ajax.php?do_reset_wordpress=1



Wordpress xmlrpc.php -common vulnerabilites & how to exploit them


https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32

Comments

Post a Comment

Popular posts from this blog

Electron JS Security Checklist

Electron Js Security Checklist Disable nodeIntegration for untrusted origins/Do-not Enable Node-Integration Risk  If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content. Auditing nodeIntegration and nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.  Auditing For BrowserWindow, default is true. If the option is not present, or is set to true/1, nodeIntegration is enabled as in the following examples:  mainWindow = new BrowserWindow({ "webPreferences": { "nodeIntegration": true, “nodeIntegrationInWorker": 1 } });  Or simply:  mainWindow = new BrowserWindow() For webview tag, default is false.  When this attribute is present, the guest page in webview will have node integration: When sanbox is enabled (see below), nodeintegration is disabled. Please note ...
Post a Comment
Read more
Cross Site Request Forgery   Cross site Request forgery leverages trust a website has in the user(or at least the user’s browser) CSRF takes advantage of active session a browser has with the target site: The attack is possible due to predictable parameters on the sensitive transactions An example money transaction user case might have two predictable parameters : Dest account & and Amount CSRF is similar to XSS , but it doesn’t require that the attacker inject code into a web application. CSRF simply leverages the fact that web servers trust the authenticated users, and is possible to pass un-authorized commands from client to there sever without users knowledge.These commands are then executed on server with clients authenticated privileges. Walkthrough   —————— Attacker determines a link to initiate a transaction that uses predictable parameters Attacker posts the link on a site he controls : The site could even be a Facebook page or similar   Or attacker to force ...
Post a Comment
Read more