0xbro

https://0xbro.red/ 0xbro I am Mattia Brollo, aka 0xbro, a penetration tester, vulnerability researcher, content creator & wannabe ethical hacker. Within the blog you can find all my writeups about vulnerability research, CTFs tricks, exploits, templates, hints and penetration testing notes. 2026-04-10T13:49:17+02:00 0xbro https://0xbro.red/ Jekyll © 2026 0xbro /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png Exploiting a PHP Object Injection in Profile Builder Pro in the era of AI 2026-03-19T00:00:00+01:00 2026-03-19T00:00:00+01:00 https://0xbro.red/posts/POI-in-the-era-of-AI/ 0xbro

WordPress plugin "Profile Builder Pro" (versions before 3.14.5) is susceptible to Unauthenticated PHP Object Injection. In this blog post, we discuss how we discovered and exploited the vulnerability using a novel POP chain, how AI helped in the process, taking a final look at targets in the wild.

How I keep updated in the infosec industry 2026-02-17T00:00:00+01:00 2026-03-27T17:49:25+01:00 https://0xbro.red/posts/how-i-keep-updated/ 0xbro

Introduction Happy 2026, two months late and with a new design for my blog! 🥳 It had been quite a while since I last posted anything on my blog, and recently I have been trying to find a functional system to best consume and process online information. So here we are, writing a blog post that will allow me to clarify my ideas (hopefullyspoiler, it did!) and at the same time give you some ins...

Vtenext 25.02 vulnerability research 2025-08-12T00:00:00+02:00 2025-08-12T00:00:00+02:00 https://0xbro.red/posts/vtenext-25-02-a-three-way-path-to-rce/ 0xbro

Multiple vulnerabilities in vtenext 25.02.1 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server.

Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions in Prevent Direct Access Wordpress Plugin (CVE-2025-3861) 2025-04-24T00:00:00+02:00 2025-04-24T00:00:00+02:00 https://0xbro.red/posts/wp-prevent-direct-access-CVE-2025-3861/ 0xbro

The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.

Effective Notes for OSCP, CTFs and Pentests with Obsidian (2025) 2025-03-15T00:00:00+01:00 2025-03-15T00:00:00+01:00 https://0xbro.red/posts/effective-notes-with-obsidian/ 0xbro

Having well-organized notes is crucial for penetration testing, OSCP preparation and exams, CTFs, etc. They help you quickly identify previously exploited vulnerabilities and map the interconnections between machines within a network. In this video, I'll show you how I take effective notes using Obsidian's Canvas and Excalidraw, and how I structure them.