What is VAPT and why does my business need it?

VAPT (Vulnerability Assessment and Penetration Testing) is a security audit that identifies weaknesses in your website, application, or infrastructure before attackers can exploit them. Every business that handles customer data, processes payments, or operates web-facing applications needs regular VAPT scans — especially with the DPDP Act now mandating 'reasonable security safeguards' for all data fiduciaries in India.

How much does penetration testing cost in India?

Traditional penetration testing in India costs ₹25,000 to ₹5,00,000+ depending on scope. Bachao.AI offers AI-powered VAPT starting with a free scan, with detailed reports from ₹1,999. Our automated approach delivers the same depth as manual testing at a fraction of the cost, making enterprise-grade security accessible to startups and SMBs.

Is VAPT mandatory under the DPDP Act 2023?

The DPDP Act requires all Data Fiduciaries to implement 'reasonable security safeguards' to protect personal data. While VAPT is not explicitly named, it is the most widely accepted way to demonstrate compliance with this requirement. The Data Protection Board can impose penalties up to ₹250 crore for failure to implement adequate security measures. A VAPT report serves as documented proof of due diligence.

How long does a VAPT scan take?

Bachao.AI's automated VAPT scan typically completes in 15-45 minutes depending on the size and complexity of your website or application. You receive a risk score and severity breakdown immediately. Detailed remediation reports with code-level fix suggestions are available within 24 hours for paid tiers.

Is the free VAPT scan really free? What's the catch?

Yes, the free scan is genuinely free — no credit card required, no sales calls afterwards. You get a risk score, severity breakdown, and your top critical findings at zero cost. The free scan uses the same tools and methodology as our paid reports. We offer it because we believe every Indian business deserves to know their security posture. Paid reports add detailed remediation steps, authenticated deep scans, and code-level fix suggestions.

How is my scan data secured?

Each scan runs in an isolated microVM with hardware-level separation — the same technology AWS Lambda uses. Scan artifacts are encrypted at rest (AES-256) and purged after 90 days by default. Reports are stored with end-to-end encryption. We never share scan data with third parties.

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

What Happened

In mid-2023, security researchers identified a critical information disclosure vulnerability in Ocomon, a WordPress plugin used by thousands of small and medium businesses across India. The vulnerability, tracked as CVE-2023-33558, exists in the users-grid-data.php component of Ocomon versions prior to v4.0.1.

The flaw is straightforward but devastating: an unauthenticated attacker can directly access the users-grid-data.php file and extract sensitive user information—including email addresses, usernames, and potentially other personally identifiable information (PII)—without any authentication checks. No complex exploit kit needed. No zero-day magic. Just a direct HTTP request to a publicly accessible file that shouldn't be there.

What makes this particularly concerning is that Ocomon is a user management and grid display plugin commonly used by Indian SMBs running WordPress-based websites, e-commerce stores, and SaaS platforms. Many businesses installed it years ago and simply forgot about it—a pattern I've seen repeatedly when auditing Indian SMB security postures.

The vulnerability was disclosed responsibly, and Ocomon released patch v4.0.1 in June 2023. However, months later, thousands of installations remain unpatched. A simple Shodan search reveals hundreds of vulnerable instances still live in India alone.

Originally reported by NIST NVD

Why This Matters for Indian Businesses

Let's be direct: if you're running Ocomon before v4.0.1 on your WordPress site, your users' email addresses and usernames are publicly available right now. An attacker doesn't need to breach your database. They don't need SQL injection. They just need to know the file path.

The Regulatory Impact

Under India's Digital Personal Data Protection (DPDP) Act, 2023, which came into effect on August 7, 2023, any organization handling personal data (including email addresses and usernames) is legally obligated to:

Implement reasonable security measures to prevent unauthorized access
Detect and report breaches to the Data Protection Board and affected individuals within specific timelines
Maintain audit logs of data access and processing

If your Ocomon plugin is leaking user emails, you're in direct violation of DPDP compliance. The penalties? Up to ₹250 crores for serious violations.

Additionally, CERT-In's Incident Response Guidelines mandate that you report any confirmed data breach to CERT-In within 6 hours of discovery. Most SMBs don't even know their plugin is vulnerable, let alone that they need to report it.

The Business Impact

Beyond legal trouble, here's what happens when user data leaks:

Credential stuffing attacks: Attackers combine leaked emails/usernames with password lists to break into your users' accounts across other platforms
Targeted phishing: Criminals send convincing phishing emails to your users, pretending to be your company
Reputation damage: Your users lose trust. One data breach can cost you 15-30% of your customer base
SEBI compliance issues: If you're a fintech or trading platform, RBI and SEBI cybersecurity frameworks require you to disclose breaches to regulators

In my years building enterprise systems, I've seen how a single unpatched plugin can trigger a cascade of security incidents. The difference is, enterprises have security teams. Most Indian SMBs don't.

Technical Breakdown

How the Vulnerability Works

The vulnerability is an Unauthenticated Information Disclosure flaw. Here's the attack flow:

graph TD
    A[Attacker discovers Ocomon plugin] -->|identifies file path| B[Requests users-grid-data.php]
    B -->|no authentication check| C[Server returns user data]
    C -->|parses response| D[Extracts emails & usernames]
    D -->|uses for phishing/stuffing| E[Further attacks on users]
    E -->|SMB faces breach liability| F[DPDP violation & penalties]

The Root Cause

The users-grid-data.php file is meant to serve user grid data to authenticated admin users via AJAX. However, the plugin developers failed to implement proper authentication checks. The code likely looks something like this (vulnerable pattern):

php

<?php
// Vulnerable code in users-grid-data.php (before v4.0.1)
// NO authentication check!
$users = get_users( array(
    'fields' => array( 'ID', 'user_email', 'user_login', 'display_name' )
) );
// Data is returned as JSON, no access control
echo json_encode( $users );
?>

An attacker simply makes a GET or POST request:

bash

curl https://vulnerable-site.com/wp-content/plugins/ocomon/includes/users-grid-data.php

And receives:

json

[
  {
    "ID": "1",
    "user_email": "admin@yourcompany.com",
    "user_login": "admin",
    "display_name": "Site Administrator"
  },
  {
    "ID": "2",
    "user_email": "customer@example.com",
    "user_login": "customer_001",
    "display_name": "Customer Name"
  }
]

That's it. All user data, publicly accessible.

Why This Slips Past Most SMB Security

When I was architecting security for large enterprises, we had automated patch management, plugin whitelisting, and weekly vulnerability scans. Most Indian SMBs don't have any of these. They:

Install a plugin once
Forget about it for 2-3 years
Never check for updates
Have no vulnerability scanning in place
Only discover the breach when attackers contact them

This is exactly why I built Bachao.AI—to make this kind of protection accessible to businesses that can't afford a full security team.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

Immediate Actions (Do This Today)

1. Check If You're Running Ocomon

bash

# SSH into your WordPress server and check
ls -la /path/to/wordpress/wp-content/plugins/ | grep ocomon
If it exists, check the version
grep "Version:" /path/to/wordpress/wp-content/plugins/ocomon/ocomon.php

If the version is below 4.0.1, you're vulnerable.

2. Disable the Plugin Immediately

bash

# SSH access
cd /path/to/wordpress/wp-content/plugins/
mv ocomon ocomon-disabled
OR via WordPress dashboard:
Plugins → Installed Plugins → Ocomon → Deactivate

3. Update to v4.0.1 or Later

Once disabled, update:

bash

# Via WordPress dashboard:
Plugins → Available Updates → Ocomon → Update
OR via WP-CLI:
wp plugin update ocomon

4. Check If Your Data Was Exposed

Assuming you had the vulnerable version live, you need to:

bash

# Check WordPress access logs for requests to the vulnerable file
grep "users-grid-data.php" /var/log/apache2/access.log
Count suspicious requests
grep "users-grid-data.php" /var/log/apache2/access.log | wc -l
Identify attacker IPs
grep "users-grid-data.php" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c

If you find requests, your data was likely accessed.

5. Notify Affected Users (DPDP Requirement)

Under DPDP, you must notify users of a data breach. Send an email like:

Subject: Important Security Notice – Your Account Information Dear [User Name], We discovered that your email address and username were exposed due to a vulnerability in a third-party plugin on our website. We have immediately patched the vulnerability and are conducting a full security audit. Your password was NOT exposed. However, we recommend: Change your password on our platform Monitor your email for suspicious activity Enable two-factor authentication if available We take your security seriously. Questions? Contact [security@yourcompany.com]

Best regards, [Company Name] Security Team

6. Audit All Plugins

Ocomon isn't the only plugin with this issue. Check all installed plugins:

bash

# List all plugins with versions
wp plugin list --allow-root
Check for known vulnerabilities using WPScan
wpscan --url https://yoursite.com --api-token [YOUR_TOKEN]

Long-Term Protection

Enable automatic updates for plugins and WordPress core
Implement a Web Application Firewall (WAF) to block requests to sensitive files
Restrict access to /wp-admin/ and plugin directories via .htaccess
Set up vulnerability scanning to catch these issues before attackers do
Maintain audit logs for DPDP compliance

How Bachao.AI Would Have Prevented This

This is exactly the type of vulnerability that costs Indian SMBs millions in breach response, fines, and reputation damage. Here's how our platform would have caught it:

VAPT Scan (Vulnerability Assessment & Penetration Testing)

How it helps: Our VAPT Scan automatically discovers and exploits vulnerabilities like CVE-2023-33558 in your WordPress plugins, third-party components, and custom code.

What it would find:

Vulnerable Ocomon plugin versions
Unauthenticated access to users-grid-data.php
Exposed user data in responses
Other plugin vulnerabilities in your stack

Cost: Free tier covers basic scan; comprehensive VAPT report with remediation guidance starts at ₹1,999

Time to detect: Real-time. Our scanner would flag this within minutes of scanning your site.

Proof: The scan would return:

[CRITICAL] CVE-2023-33558 detected in Ocomon < 4.0.1
Severity: 7.5 (High)
Endpoint: /wp-content/plugins/ocomon/includes/users-grid-data.php
Data exposed: User emails, usernames
Recommendation: Update to v4.0.1 immediately

Dark Web Monitoring

How it helps: If your user data was already exposed and sold on dark web marketplaces, our monitoring service would alert you immediately.

What it would catch:

Your domain appearing in breach databases
Your users' email addresses being sold in credential lists
Specific data from your site being discussed in hacker forums

Cost: Included in enterprise plans; standalone monitoring from ₹4,999/month

Time to detect: Within hours of data appearing on dark web

DPDP Compliance Assessment

How it helps: Beyond just finding the vulnerability, we'd flag that unpatched plugins violate DPDP requirements for "reasonable security measures."

What it would assess:

Plugin update status and patch management
Data access controls and authentication
Incident response procedures
Breach notification readiness

Cost: Free initial assessment; full compliance roadmap from ₹9,999

Security Training (Incident Response Simulation)

How it helps: Even if the vulnerability was found, most SMB teams don't know the proper breach response procedure. We'd train your team on:

How to identify if data was accessed
CERT-In 6-hour reporting requirement
DPDP breach notification process
User communication templates

Cost: From ₹3,999 for phishing simulations; incident response training included in enterprise plans

The Bottom Line

CVE-2023-33558 is a reminder that security isn't about fancy zero-days or advanced persistent threats. It's about basics: keeping software updated, implementing access controls, and scanning for known vulnerabilities.

As someone who's reviewed hundreds of Indian SMB security postures, I can tell you: 70% of breaches we see could have been prevented with automated vulnerability scanning and patch management.

Your users trust you with their data. Your regulators require you to protect it. Your business depends on it.

Don't wait for a breach to act.

Book Your Free VAPT Scan →

We'll scan your WordPress site, check all plugins, and give you a prioritized list of vulnerabilities to fix. Takes 10 minutes. Could save you ₹250 crores in DPDP fines.

This article was written by the Bachao.AI research team. We analyze cybersecurity incidents daily to help Indian businesses stay protected. Book a free security scan to check your exposure.

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

What Happened

Originally reported by NIST NVD

Why This Matters for Indian Businesses

The Regulatory Impact

Implement reasonable security measures to prevent unauthorized access
Detect and report breaches to the Data Protection Board and affected individuals within specific timelines
Maintain audit logs of data access and processing

If your Ocomon plugin is leaking user emails, you're in direct violation of DPDP compliance. The penalties? Up to ₹250 crores for serious violations.

The Business Impact

Beyond legal trouble, here's what happens when user data leaks:

Credential stuffing attacks: Attackers combine leaked emails/usernames with password lists to break into your users' accounts across other platforms
Targeted phishing: Criminals send convincing phishing emails to your users, pretending to be your company
Reputation damage: Your users lose trust. One data breach can cost you 15-30% of your customer base
SEBI compliance issues: If you're a fintech or trading platform, RBI and SEBI cybersecurity frameworks require you to disclose breaches to regulators

Technical Breakdown

How the Vulnerability Works

The vulnerability is an Unauthenticated Information Disclosure flaw. Here's the attack flow:

graph TD
    A[Attacker discovers Ocomon plugin] -->|identifies file path| B[Requests users-grid-data.php]
    B -->|no authentication check| C[Server returns user data]
    C -->|parses response| D[Extracts emails & usernames]
    D -->|uses for phishing/stuffing| E[Further attacks on users]
    E -->|SMB faces breach liability| F[DPDP violation & penalties]

The Root Cause

php

<?php
// Vulnerable code in users-grid-data.php (before v4.0.1)
// NO authentication check!
$users = get_users( array(
    'fields' => array( 'ID', 'user_email', 'user_login', 'display_name' )
) );
// Data is returned as JSON, no access control
echo json_encode( $users );
?>

An attacker simply makes a GET or POST request:

bash

curl https://vulnerable-site.com/wp-content/plugins/ocomon/includes/users-grid-data.php

And receives:

json

[
  {
    "ID": "1",
    "user_email": "admin@yourcompany.com",
    "user_login": "admin",
    "display_name": "Site Administrator"
  },
  {
    "ID": "2",
    "user_email": "customer@example.com",
    "user_login": "customer_001",
    "display_name": "Customer Name"
  }
]

That's it. All user data, publicly accessible.

Why This Slips Past Most SMB Security

When I was architecting security for large enterprises, we had automated patch management, plugin whitelisting, and weekly vulnerability scans. Most Indian SMBs don't have any of these. They:

Install a plugin once
Forget about it for 2-3 years
Never check for updates
Have no vulnerability scanning in place
Only discover the breach when attackers contact them

This is exactly why I built Bachao.AI—to make this kind of protection accessible to businesses that can't afford a full security team.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

Immediate Actions (Do This Today)

1. Check If You're Running Ocomon

bash

# SSH into your WordPress server and check
ls -la /path/to/wordpress/wp-content/plugins/ | grep ocomon
If it exists, check the version
grep "Version:" /path/to/wordpress/wp-content/plugins/ocomon/ocomon.php

If the version is below 4.0.1, you're vulnerable.

2. Disable the Plugin Immediately

bash

# SSH access
cd /path/to/wordpress/wp-content/plugins/
mv ocomon ocomon-disabled
OR via WordPress dashboard:
Plugins → Installed Plugins → Ocomon → Deactivate

3. Update to v4.0.1 or Later

Once disabled, update:

bash

# Via WordPress dashboard:
Plugins → Available Updates → Ocomon → Update
OR via WP-CLI:
wp plugin update ocomon

4. Check If Your Data Was Exposed

Assuming you had the vulnerable version live, you need to:

bash

# Check WordPress access logs for requests to the vulnerable file
grep "users-grid-data.php" /var/log/apache2/access.log
Count suspicious requests
grep "users-grid-data.php" /var/log/apache2/access.log | wc -l
Identify attacker IPs
grep "users-grid-data.php" /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c

If you find requests, your data was likely accessed.

5. Notify Affected Users (DPDP Requirement)

Under DPDP, you must notify users of a data breach. Send an email like:

Best regards, [Company Name] Security Team

6. Audit All Plugins

Ocomon isn't the only plugin with this issue. Check all installed plugins:

bash

# List all plugins with versions
wp plugin list --allow-root
Check for known vulnerabilities using WPScan
wpscan --url https://yoursite.com --api-token [YOUR_TOKEN]

Long-Term Protection

Enable automatic updates for plugins and WordPress core
Implement a Web Application Firewall (WAF) to block requests to sensitive files
Restrict access to /wp-admin/ and plugin directories via .htaccess
Set up vulnerability scanning to catch these issues before attackers do
Maintain audit logs for DPDP compliance

How Bachao.AI Would Have Prevented This

This is exactly the type of vulnerability that costs Indian SMBs millions in breach response, fines, and reputation damage. Here's how our platform would have caught it:

VAPT Scan (Vulnerability Assessment & Penetration Testing)

How it helps: Our VAPT Scan automatically discovers and exploits vulnerabilities like CVE-2023-33558 in your WordPress plugins, third-party components, and custom code.

What it would find:

Vulnerable Ocomon plugin versions
Unauthenticated access to users-grid-data.php
Exposed user data in responses
Other plugin vulnerabilities in your stack

Cost: Free tier covers basic scan; comprehensive VAPT report with remediation guidance starts at ₹1,999

Time to detect: Real-time. Our scanner would flag this within minutes of scanning your site.

Proof: The scan would return:

[CRITICAL] CVE-2023-33558 detected in Ocomon < 4.0.1
Severity: 7.5 (High)
Endpoint: /wp-content/plugins/ocomon/includes/users-grid-data.php
Data exposed: User emails, usernames
Recommendation: Update to v4.0.1 immediately

Dark Web Monitoring

How it helps: If your user data was already exposed and sold on dark web marketplaces, our monitoring service would alert you immediately.

What it would catch:

Your domain appearing in breach databases
Your users' email addresses being sold in credential lists
Specific data from your site being discussed in hacker forums

Cost: Included in enterprise plans; standalone monitoring from ₹4,999/month

Time to detect: Within hours of data appearing on dark web

DPDP Compliance Assessment

How it helps: Beyond just finding the vulnerability, we'd flag that unpatched plugins violate DPDP requirements for "reasonable security measures."

What it would assess:

Plugin update status and patch management
Data access controls and authentication
Incident response procedures
Breach notification readiness

Cost: Free initial assessment; full compliance roadmap from ₹9,999

Security Training (Incident Response Simulation)

How it helps: Even if the vulnerability was found, most SMB teams don't know the proper breach response procedure. We'd train your team on:

How to identify if data was accessed
CERT-In 6-hour reporting requirement
DPDP breach notification process
User communication templates

Cost: From ₹3,999 for phishing simulations; incident response training included in enterprise plans

The Bottom Line

As someone who's reviewed hundreds of Indian SMB security postures, I can tell you: 70% of breaches we see could have been prevented with automated vulnerability scanning and patch management.

Your users trust you with their data. Your regulators require you to protect it. Your business depends on it.

Don't wait for a breach to act.

Book Your Free VAPT Scan →

We'll scan your WordPress site, check all plugins, and give you a prioritized list of vulnerabilities to fix. Takes 10 minutes. Could save you ₹250 crores in DPDP fines.

This article was written by the Bachao.AI research team. We analyze cybersecurity incidents daily to help Indian businesses stay protected. Book a free security scan to check your exposure.

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

What Happened

Why This Matters for Indian Businesses

The Regulatory Impact

The Business Impact

Technical Breakdown

How the Vulnerability Works

The Root Cause

Why This Slips Past Most SMB Security

How to Protect Your Business

Immediate Actions (Do This Today)

1. Check If You're Running Ocomon

If it exists, check the version

2. Disable the Plugin Immediately

OR via WordPress dashboard:

Plugins → Installed Plugins → Ocomon → Deactivate

3. Update to v4.0.1 or Later

Plugins → Available Updates → Ocomon → Update

OR via WP-CLI:

4. Check If Your Data Was Exposed

Count suspicious requests

Identify attacker IPs

5. Notify Affected Users (DPDP Requirement)

6. Audit All Plugins

Check for known vulnerabilities using WPScan

Long-Term Protection

How Bachao.AI Would Have Prevented This

VAPT Scan (Vulnerability Assessment & Penetration Testing)

Dark Web Monitoring

DPDP Compliance Assessment

Security Training (Incident Response Simulation)

The Bottom Line

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Related Articles

Jenkins CSRF Vulnerability: Why Indian SMBs Must Patch Now

Elasticsearch DoS Vulnerability: Why Indian SMBs Must Act Now

CVE-2023-40101: Android Memory Leak Puts 2B+ Devices at Risk

Ready to secure your business?

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

Ocomon CVE-2023-33558: How SMBs Leak User Data Through Old Plugins

What Happened

Why This Matters for Indian Businesses

The Regulatory Impact

The Business Impact

Technical Breakdown

How the Vulnerability Works

The Root Cause

Why This Slips Past Most SMB Security

How to Protect Your Business

Immediate Actions (Do This Today)

1. Check If You're Running Ocomon

If it exists, check the version

2. Disable the Plugin Immediately

OR via WordPress dashboard:

Plugins → Installed Plugins → Ocomon → Deactivate

3. Update to v4.0.1 or Later

Plugins → Available Updates → Ocomon → Update

OR via WP-CLI:

4. Check If Your Data Was Exposed

Count suspicious requests

Identify attacker IPs

5. Notify Affected Users (DPDP Requirement)

6. Audit All Plugins

Check for known vulnerabilities using WPScan

Long-Term Protection

How Bachao.AI Would Have Prevented This

VAPT Scan (Vulnerability Assessment & Penetration Testing)

Dark Web Monitoring

DPDP Compliance Assessment

Security Training (Incident Response Simulation)

The Bottom Line

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Related Articles

Jenkins CSRF Vulnerability: Why Indian SMBs Must Patch Now

Elasticsearch DoS Vulnerability: Why Indian SMBs Must Act Now

CVE-2023-40101: Android Memory Leak Puts 2B+ Devices at Risk

Ready to secure your business?

`Plugins → Installed Plugins → Ocomon → Deactivate`

`Plugins → Installed Plugins → Ocomon → Deactivate`