Threat actors were observed installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. Researchers from Sucuri warned that threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. The Eval PHP plugin allows PHP code to be inserted into the pages and posts of WordPress […]
Experts disclosed a flaw in the PHP software package repository Packagist that could have been exploited to carry out supply chain attacks. SonarSource Researchers disclosed details about a now-fixed vulnerability (CVE-2022-24828) in PHP software package repository Packagist,, that could have been exploited to carry out supply chain attacks. The issue was addressed within hours by […]
A vulnerability in the PHP Composer could have allowed an attacker to execute arbitrary commands and backdoor every PHP package. The maintainers of the PHP Composer package have addressed a critical vulnerability, tracked as CVE-2021-29472, that could have allowed an attacker to execute arbitrary commands and establish a backdoor in every PHP package. Composer is the major […]
The maintainers of the PHP programming language confirmed that threat actors may have compromised a user database containing their passwords. The maintainers of the PHP programming language have provided an update regarding the security breach that took place on March 28. Unknown attackers hacked the official Git server of the PHP programming language and pushed […]
Threat actors hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code. Unknown attackers hacked the official Git server of the PHP programming language and pushed unauthorized updates to insert a backdoor into the source code. On March 28, the attackers pushed two […]
Threat actors in the wild are leveraging a recently discovered flaw in the ThinkPHP PHP framework to install cryptominers, skimmers, and other malware. Multiple threat actors are leveraging a recently discovered code execution vulnerability (CVE-2018-20062) in the ThinkPHP framework. The flaw was already addressed by the Chinese firm TopThink that designed the framework, but security expert Larry […]
Maintainers of Packagist, the largest PHP package repository, have recently addressed a critical remote code execution vulnerability. Packagist is the default package host behind Composer, it has over 435 million package installs. The vulnerability was reported by the security researcher Max Justicz, the expert discovered that the “Submit Package” input field for submitting new PHP packages via the package […]
The security researcher Sam Thomas from Secarma, has discovered a new attack technique that leverages critical deserialization vulnerabilities in PHP programming language. The flaws potentially expose web applications written in the popular language to cyber attacks, including websites running CMSs like WordPress and Typo3. The expert discovered that an attacker can use low-risk functions against Phar archives to trigger […]
Security expert discovered severe flaws in most popular programming languages that could expose to hack any secure application built on top of them. Last week, IOActive Senior Security Consultant Fernando Arnaboldi presented at the Black Hat Europe 2017 security conference the results of an interesting research about vulnerabilities in several popular interpreted programming languages. Arnaboldi […]
The security expert Dawid Golunski from Legal Hackers has reported critical RCE flaws in the popular PHP libraries SwiftMailer, PhpMailer and ZendMail. Recently the security expert Dawid Golunski from Legal Hackers has reported a critical RCE vulnerability, tracked as CVE-2016-10033, in one of the popular open source PHP library, the PHPMailer. The critical vulnerability in the […]