PureVPN has had two vulnerabilities which would allow hackers to retrieve stored passwords through the VPN client . This was confirmed Vulnerability-related.DiscoverVulnerability by Trustwave ’ s security researcher Manuel Nader , and the VPN provider itself . One of the two vulnerabilities were fixed Vulnerability-related.PatchVulnerability in the meantime , while the other one remains active , and PureVPN has , according to Nader , “ accepted the risk ” . The vulnerability that was patched Vulnerability-related.PatchVulnerability saw saved passwords stored in plaintext , on this location : ' C : \ProgramData\purevpn\config\login.conf All users have had the chance to access and read the file by simply opening it through the CMD . This vulnerability has been patched Vulnerability-related.PatchVulnerability in the version 6.1.0. and whoever uses PureVPN is strongly advised to update to the latest version , as soon as possible . The second vulnerability is the one that remains open , and the company has decided to ‘ accept the risk Vulnerability-related.DiscoverVulnerability ’ . So basically , you ’ d need to open the Windows client , open Configuration , User Profile , and click on ‘ Show Password ’ . A spokesperson for PureVPN sent us the following statement . `` This is not a vulnerability rather a feature that we deployed for ease of our users . Back in April 2018 , when Trustwave reported it to us , we assessed the risk , and found it minimally due to how our systems are designed . Our systems work a bit different than most of the other VPN providers . For enhanced security , we use separate passwords for Member Area and VPN access . Member Area password which is more privileged is not shown in apps , it 's the VPN access password that is the subject of this feature . Furthermore , by default , our VPN passwords are system generated and not set by users . This curtails the risk of users using the same password for VPN accounts that they use for their sensitive accounts elsewhere on the Internet . On the other hand , this enhanced security design proved a little difficult for quite a few of our users and hence we offered a way for them to easily retrieve their VPN password . For now the community has raised concerns and is confusing it as a vulnerability , we have temporarily removed the feature and released Vulnerability-related.PatchVulnerability a newer version 6.2.2 . To those users of our who pretty much use this feature to retrieve the separate password for VPN we would like to inform that we plan to redesign the future , keeping these concerns in mind , and release it back in our November 2018 release . We use Bugcrowd , a public Bug Bounty Program that employees some 90,000 ethical hackers to test our product . We remain in heavy collaboration with the InfoSec community and hence have such aggressive and streamlined processes in place to have released Vulnerability-related.PatchVulnerability the new version 6.2.2 within a few hours only . '' Those interested in learning more about VPNs and how they help improve your online privacy , make sure to read our Best VPN article .

A severe WordPress vulnerability which has been left a year without being patched Vulnerability-related.PatchVulnerability has the potential to disrupt countless websites running the CMS , researchers claim Vulnerability-related.DiscoverVulnerability . At the BSides technical cybersecurity conference in Manchester on Thursday , Secarma researcher Sam Thomas said Vulnerability-related.DiscoverVulnerability the bug permits attackers to exploit the WordPress PHP framework , resulting in a full system compromise . If the domain permits the upload of files , such as image formats , attackers can upload a crafted thumbnail file in order to trigger a file operation through the `` phar : // '' stream wrapper . In turn , the exploit triggers eXternal Entity ( XXE -- XML ) and Server Side Request Forgery ( SSRF ) flaws which cause unserialization in the platform 's code . While these flaws may only originally result in information disclosure and may be low risk , they can act as a pathway to a more serious remote code execution attack . The security researcher says Vulnerability-related.DiscoverVulnerability the core vulnerability , which is yet to receive a CVE Vulnerability-related.DiscoverVulnerability number , is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the `` file_exists '' call , '' the bug can be triggered . Unserialization occurs when serialized variables are converted back into PHP values . When autoloading is in place , this can result in code being loaded and executed , an avenue attackers may exploit in order to compromise PHP-based frameworks . `` Unserialization of attacker-controlled data is a known critical vulnerability , potentially resulting in the execution of malicious code , '' the company says . The issue of unserialization was first uncovered Vulnerability-related.DiscoverVulnerability back in 2009 , and since then , vulnerabilities have been recognized Vulnerability-related.DiscoverVulnerability in which the integrity of PHP systems can be compromised , such as CVE-2017-12934 , CVE-2017-12933 , and CVE-2017- 12932 . The WordPress content management system ( CMS ) is used by millions of webmasters to manage domains , which means the vulnerability potentially has a vast victim pool should the flaw being exploited Vulnerability-related.DiscoverVulnerability in the wild . `` I 've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk , '' Thomas explainde . `` Issues which they might have thought were fixed Vulnerability-related.PatchVulnerability with a configuration change or had been considered quite minor previously might need to be reevaluated in the light of the attacks I demonstrated . '' According to Secarma , the CMS provider was made aware Vulnerability-related.DiscoverVulnerability of the security issue in February 2017 , but `` is yet to take action . '' TechRepublic : The need for speed : Why you should optimize your CMS Technical details have been provided in a white paper ( .PDF ) . `` This research continues a worrying recent trend , in demonstrating that object ( un ) serialization is an integral part of several modern languages , '' Thomas said . `` We must constantly be aware of the security impact of such mechanisms being exposed to attackers . '' No reports have been received which suggest the exploit is being actively used in the wild . The vulnerability was originally reported Vulnerability-related.DiscoverVulnerability through the WordPress HackerOne bug bounty program last year . The issue was confirmed Vulnerability-related.DiscoverVulnerability after several days and Thomas was credited for his findings . However , a Secarma spokesperson told ZDNet that while there was `` some attempt to fix Vulnerability-related.PatchVulnerability the issue '' in May 2017 , this did not address Vulnerability-related.PatchVulnerability the problem . `` Communication then went dead for a number of months and has only recently begun again , '' the spokesperson added . ZDNet has reached out to WordPress and will update if we hear back .