Sonar Blog

Home

Sonar's latest blog posts

Featured Post

Building Confidence and Trust in AI-Generated Code

To tackle the accountability and ownership challenge accompanying AI-generated code, we are introducing Sonar AI Code Assurance

Read More
https://assets-eu-01.kc-usercontent.com:443/a8c9572d-fe62-0144-0642-b3f31f575091/0bd6c0bc-c921-485b-8570-8de7e1384983/AI%20Code%20Assurance_square-index%402x.png
This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress c...
Blog post

WordPress <= 5.2.3: Hardening Bypass

This blog post details an authenticated Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress core in versions prior to 5.2.4

Read Blog post >

Image shows various elements of code security, languages and bugs
Blog post

Clean as You Code: How to win at Code Quality without even trying

Analyzing a legacy project can be overwhelming. Learn how to Clean as You Code to make sure that the code you release into production tomorrow is at least as good as - and probably better than! - the code that's in production today.

Read Blog post >

Get new blogs delivered directly to your inbox!

Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

By submitting this form, you agree to the storing and processing of your personal data as described in the Privacy Policy and Cookie Policy. You can withdraw your consent by unsubscribing at any time.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at...
Blog post

Backend SQL Injection in BigTree CMS 4.4.6

BigTree is a small content management system which does not depend on many frameworks and advertises itself as user friendly and developer ready. In this blog post, we will take a look at a few vulnerabilities we have detected in the codebase of BigTree.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/a8c9572d-fe62-0144-0642-b3f31f575091/7ddf0933-4fb6-487c-bcc3-b93685017340/driveby-rce-exploit-pimcore.png.webp
Blog post

Drive By RCE Exploit in Pimcore 6.2.0

In this technical blog post we will examine how a drive by exploit in the Pimcore release 6.2.0 allows an attacker to execute OS commands.

Read Blog post >

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.
Blog post

WooCommerce 3.6.4 - CSRF Bypass to Stored XSS

WooCommerce is the most popular e-commerce plugin for WordPress with over 5 million installations. We detected a code vulnerability in the way WooCommerce handles imports of products.

Read Blog post >

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).
Blog post

Bitbucket 6.1.1 Path Traversal to RCE

In this blog post we analyse how the insecure extraction of a compressed TAR archive lead to a critical vulnerability in Bitbucket (CVE-2019-3397).

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/a8c9572d-fe62-0144-0642-b3f31f575091/343713ba-0a38-438b-b4c8-e3af1021661d/suitecrm_security.png.webp
Blog post

SuiteCRM 7.11.4 - Breaking Into Your Internal Network

In this blog post we will see how a vulnerable web application deployed in the internal network of your company can act as a charming entry gateway for any adversary.

Read Blog post >

https://assets-eu-01.kc-usercontent.com:443/a8c9572d-fe62-0144-0642-b3f31f575091/1741d7ea-15b7-434e-88a6-d34ecaebcf41/oxid_eshop.png.webp
Blog post

Pre-Auth Takeover of OXID eShops

We detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few seconds - all on default configurations.

Read Blog post >

In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbitrary PHP code on the underly...
Blog post

TYPO3 9.5.7: Overriding the Database to Execute Code

In this technical blog post we examine a critical vulnerability in the core of the TYPO3 CMS (CVE-2019-12747). A reliable exploit allows the execution of arbitrary PHP code on the underlying system as authenticated user.

Read Blog post >

This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high severe exploit chain. This cha...
Blog post

Magento 2.3.1: Unauthenticated Stored XSS to RCE

This blog post shows how the combination of a HTML sanitizer bug and a Phar Deserialization in the popular eCommerce solution Magento <=2.3.1 lead to a high severe exploit chain. This chain can be abused by an unauthenticated attacker to fully takeover certain Magento stores and to redirect payments.

Read Blog post >

In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how...
Blog post

dotCMS 5.1.5: Exploiting H2 SQL injection to RCE

In this blog post we will show how to exploit a SQL injection vulnerability (CVE-2019-12872) found by RIPS Code Analysis in the popular java-based content management system dotCMS and how we escalated it to execute code remotely.

Read Blog post >

Go to SonarSource homepage
sonar logo
  • Legal documentation
  • Trust center
  • Follow SonarSource on Twitter
  • Follow SonarSource on Linkedin

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.