← All topics

Outdated and unverified code on your pages

Old libraries with public exploits, and third-party scripts with no integrity check.

Is your site running a version of jQuery with a known XSS hole?

Old jQuery on a live page ships a public XSS exploit to every visitor. How to read the version, why it matters, and the one-line fix.

AngularJS, Lodash, Moment: the abandoned libraries still on live sites

End-of-life JavaScript libraries get no security patches but still ship to every visitor. Which ones to check, and how to know what you serve.

What is Subresource Integrity, and why does that third-party script need it?

A CDN script without Subresource Integrity runs whatever bytes the CDN serves. If the CDN is compromised, the attack runs as your site.

Bootstrap, Handlebars, DOMPurify: three libraries with known holes still on live sites

An old Bootstrap, Handlebars, or DOMPurify on your page ships a public exploit to every visitor. The CVEs, why these three matter, and how to read your version.

Your WordPress, Drupal, or Joomla version is public, and bots check it first

An outdated WordPress, Drupal, or Joomla announces its version in the page, and bots match it to a known exploit. How the version leaks, and how to stay patched.

Telerik UI for ASP.NET: the .axd handler that's still getting sites owned

Old Telerik UI for ASP.NET AJAX ships a file-upload handler with a public RCE (CVE-2019-18935) that's on CISA's exploited list. How to spot a vulnerable version from outside, and how to fix it.

Magento CosmicSting: is your store on a version that leaks its own encryption key?

CosmicSting (CVE-2024-34102) is a pre-auth flaw in Magento / Adobe Commerce up to 2.4.6 that leaks the encryption key and chains to RCE. How to tell your version from outside, and how to fix it.

Your WordPress is patched, but is the plugin with the public RCE? The plugins bots hunt by version

WordPress core gets updated. The plugins underneath it accumulate critical CVEs, LiteSpeed Cache, GiveWP, Essential Addons, and a plugin advertises its version in its own readme. How bots find a vulnerable one, and how to check yours.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.