Seven Critical Vulnerabilities Discovered in Portainer

Portainer is a lightweight management UI which allows you to easily manage your Docker host or Swarm cluster. In October 2019, I discovered 7 critical vulnerabilities in Portainer which allows attacker to steal session tokens, escalate privilege and access to host filesystem. At the time of writing, all of the issues identified in this blog…

Vulnerabilities in MikroTik RouterOS

Recently I discovered two vulnerabilities in MikroTik RouterOS. One of them requires authentication (CVE-2019-15055). In the first report to MikroTik, this path traversal vulnerability allows an authenticated user to write/delete arbitrary writable files on the system, which could lead to privilege escalation. All discovered vulnerabilities have been fixed in the latest testing and stable version.

Multiple WordPress Plugins SQL Injection Vulnerabilities

In July 2019, I discovered and reported nine SQL injection vulnerabilities in nine different popular WordPress plugins across a variety of categories, including advertisement, donation, gallery, forms, newsletter, and video player. These plugins are being actively used by hundreds of thousands of WordPress websites, with some of them ranked in the top position for their…