Vulnerabilities in MikroTik RouterOS

Posted on by tinduong

Recently I discovered two vulnerabilities in MikroTik RouterOS. One of them requires authentication (CVE-2019-15055). In the first report to MikroTik, this path traversal vulnerability allows an authenticated user to write/delete arbitrary writable files on the system, which could lead to privilege escalation. All discovered vulnerabilities have been fixed in the latest testing and stable version.

Multiple WordPress Plugins SQL Injection Vulnerabilities

Posted on by tinduong

In July 2019, I discovered and reported nine SQL injection vulnerabilities in nine different popular WordPress plugins across a variety of categories, including advertisement, donation, gallery, forms, newsletter, and video player. These plugins are being actively used by hundreds of thousands of WordPress websites, with some of them ranked in the top position for their…