WordPress 4.2 Stored XSS

Earlier this week WordPress 4.1.3. It fixed an XSS exploit discovered by a former student of mine. This week a new exploit – even in the new WordPress versions, including 4.2 – was uncovered. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. If triggered […]

Migrating your WordPress website from HTTP to HTTPS

In light of #https2015 I flipped the switch on bram.us earlier today: from today forth bram.us is only accessible over HTTPS. If you run a news site, or any site at all, we’d like to issue a friendly challenge to you. Make a commitment to have your site fully on HTTPS by the end of […]

WordPress < 3.6.1 PHP Object Injection

WordPress 3.6.1 contains a PHP Object Injection Vulnerability Fix, detected by one of my former students. He also made an extensive writeup about it: Let’s recap: maybe_serialized(‘i:1;<funkycharacterhere>’) is inserted to the database. As WordPress does not see this as a serialized string (because it doesn’t end in ; or }), this will result in i:1;. […]

wp-cli — A command line interface for WordPress

wp-cli is a set of command-line tools for managing WordPress installations. You can update plugins, set up multisite installs, create posts and much more. Once installed, you can run commands such as: wp plugin install hello-dolly which will output: Installing Hello Dolly (1.5) Downloading install package from http://downloads.WordPress.org/plugin/hello-dolly.1.5.zip … Unpacking the package … Installing the […]

Facebook for WordPress Plugin

Something that was long overdue: an official Facebook for WordPress Plugin which brings some basic Facebook features (such as injection of a Like Button, publishing to Facebook when publishing a post, etc.) and some new ones (such as tagging a Facebook friend straight from the WordPress “add post” screen) to WordPress If you want to […]

Their growing demand: WordPress Magazine/Gazette/Newspaper Themes Overview

Lately, there’s been a lot of rumbling within the WordPress Themes Scene. I’m not talking about some of the free themes that contain tracking codes, but the rise of the Magazine/Gazette/Newspaper themes. During the past three months quite a few have popped up. Here’s a little overview.