Sonar's latest blog posts
The Coding Personalities of Leading LLMs
Make smarter AI adoption decisions with Sonar's latest report in The State of Code series. Explore the habits, blind spots, and archetypes of the top five LLMs to uncover the critical risks each brings to your codebase.


Developers spend 30% of their time on code maintenance: our latest survey results, part 3
In our latest survey, which we ran in November and December of last year, we set out to answer some of the follow-up questions that arose after we analyzed the earlier results. Nearly 300 developers responded to our survey, which dives deeper into how professional developers use open source today.
Read article >

WordPress 5.1 CSRF to Remote Code Execution
This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution (CVE-2019-9787).
Read Blog >
Get new blogs delivered directly to your inbox!
Stay up-to-date with the latest Sonar content. Subscribe now to receive the latest blog articles.

Announcing the SonarQube Cloud Pipe for Bitbucket Cloud users!
SonarSource is proud to be a launch partner of the Atlassian Bitbucket Pipes. Thanks to the SonarQube Cloud Scan Pipe, you can configure code analysis in your Bitbucket Pipeline in no time.
Read Blog >

WordPress 5.0.0 Remote Code Execution
This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core (CVE-2019-8943). The vulnerability remained uncovered in the WordPress core for over 6 years.
Read Blog >

CTF Writeup: Complex Drupal POP Chain
A recent Capture-The-Flag tournament hosted by Insomni’hack challenged participants to craft an attack payload for Drupal 7. This blog post will demonstrate our solution for a PHP Object Injection with a complex POP gadget chain.
Read Blog >

WordPress Privilege Escalation through Post Types
A logic flaw in the way WordPress created blog posts allowed attackers to access features only administrators were supposed to have (CVE-2018-20152). This lead to a Stored XSS and Object Injection in the WordPress core and more severe vulnerabilities in WordPress’s most popular plugins Contact Form 7 and Jetpack.
Read Blog >

phpBB 3.2.3: Phar Deserialization to RCE
A new PHP exploit technique affects the most famous forum software phpBB3. The vulnerability allows attackers who gain access to an administrator account to execute arbitrary PHP code and to take over the entire board (CVE-2018-19274).
Read Blog >

WordPress Design Flaw Leads to WooCommerce RCE
WordPress Design Flaw Leads to WooCommerce RCEA flaw in the way WordPress handles privileges can lead to a privilege escalation in plugins. This affects for example the popular WooCommerce.
Read Blog >

PHP Object Injection
A very common and critical vulnerability in PHP applications is PHP Object Injection. This blog post explains how they work and how they can lead to a full site takeover by remote attackers.
Read Blog >

Fully Automated Promotion Pipelines with SonarQube Server and Artifactory
Catch builds constructed from poor quality code before they make it to production. Discover how to integrate Artifactory and SonarQube Server.
Read Blog >

My Journey Interviewing with SonarSource...
What's it like to interview with SonarSource? Read on and find out!
Read Blog >