Accept Stripe Donation – AidWP Security Vulnerabilities

uListing < 2.0.6 - Settings Update via CSRF

A Settings Update via CSRF vulnerability was discovered in the plugin. Missing WPNonce security tokens [ https://codex.wordpress.org/WordPress_Nonces ]. PoC PoC #1 | CSRF | Main Settings Update: POST /wp-admin/admin-ajax.php HTTP/2 Host: example.com Cookie: [admin cookies] User-Agent: Mozilla/5.0.....

GiveWP < 2.12.0 - Authenticated Stored XSS

The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. PoC Put the following payload in any Donation Level Text field of a Donation Form (ie...

GiveWP < 2.12.0 - Authenticated Stored XSS

The plugin did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in...

WordPress Paytm plugin <= 1.3.2 - Authenticated SQL Injection (SQLi) vulnerability

Authenticated SQL Injection (SQLi) vulnerability discovered by Shreya Pohekar in WordPress Paytm plugin (versions &lt;= 1.3.2). Solution This plugin has been closed as of June 3, 2021 and is not available for download. Reason: Security...

Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection

The plugin does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue PoC GET...

Paytm - Donation Plugin <= 1.3.2 - Authenticated (admin+) SQL Injection

The plugin does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection...

Stripe: Without verifying email and activate account, user can perform all action which are not supposed to be done

A researcher discovered that it was possible to access a subset of livemode dashboard functionality without verifying the account's email address. The livemode functionality in question was disabled in the UI, but could be accessed on the backend. Following this report, Stripe performed an...

ID theft ghouls targeting Surfside victims is appalling, but no surprise

We’ve written at length about account compromise and identity theft, and how criminals will often hijack accounts belonging to dead people. In many ways, it’s the perfect crime for anyone indulging in social engineering. The amount of abandoned accounts due to death can only ever go up, and nobody....

Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting

While fixing an Authenticated Stored Cross-Site Scripting issue (https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f), the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in.....

Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting

While fixing an Authenticated Stored Cross-Site Scripting issue (https://wpscan.com/vulnerability/a5837621-ee6e-4876-9f65-82658fc0341f), the vendor identified another Cross-Site Scripting issue, which could be exploited by unauthenticated users and would be triggered in the context of a logged in.....

Charitable – Donation Plugin < 1.6.51 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation...

Charitable – Donation Plugin < 1.6.51 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. PoC 1. Go to /wp-admin/edit.php?post_type=donation 2. Add new donation 3. In the first or last name forms, add the XSS payload 4. Save and the XSS payload will be...

Unbreakable Enterprise kernel security update

[5.4.17-2102.203.5] - rds/ib: move rds_ib_clear_irq_miss() to .h file (Manjunath Patil) [Orabug: 33044344] [5.4.17-2102.203.4] - rds/ib: recover rds connection from interrupt loss scenario (Manjunath Patil) [Orabug: 32974199] - Revert Allow mce to reset instead of panic on UE (William Roche) ...

Unbreakable Enterprise kernel-container security update

[5.4.17-2102.203.5] - rds/ib: move rds_ib_clear_irq_miss() to .h file (Manjunath Patil) [Orabug: 33044344] [5.4.17-2102.203.4] - rds/ib: recover rds connection from interrupt loss scenario (Manjunath Patil) [Orabug: 32974199] - Revert 'Allow mce to reset instead of panic on UE' (William...

Stripe: HTML Injection in the Invoice memos field

Summary: In customer invoices a memo field is vulnerable to HTML injection. So i can takeover any victim's account with auto-save functionality through HTML injection. Basically when we saved the login credential in our browser & tried to login into the account the browser automatically fills the.....

Stripe: Email change or personal data change on the account.

@dk82hg found the email change flow on indiehackers.com was vulnerable to an insecure direct object reference (IDOR) which allowed an attacker to change the email associated with a user account to one they owned and ultimately take over a victim’s account in certain situations. A fix was shipped...

3 Takeaways From The 2021 VDBIR: It’s An Appandemic

VDBIR Overview “Appandemic” sounds a bit like “appendectomy.” From a societal standpoint, it’s almost as alarming — if not more so — as the surgical procedure is from a personal standpoint. Because in the midst of the global pandemic we’ve all experienced over the past year and a half, web...

Musk-Themed '$SpaceX' Cryptoscam Invades YouTube Ads

YouTube fans have been swindled out of almost $1 million (and counting) thanks to an extremely convincing fake SpaceX crypto-coin campaign that uses a popular decentralized finance protocol called Uniswap. The scam is rearing its Elon-Musk-themed head in ads on YouTube that show up before and...

How Cyber Sleuths Cracked an ATM Shimmer Gang

In 2015, police departments worldwide started finding ATMs compromised with advanced new "shimming" devices made to steal data from chip card transactions. Authorities in the United States and abroad had seized many of these shimmers, but for years couldn't decrypt the data on the devices. This is....

User deposits can be turned into sponsors and then be stolen

Handle cmichel Vulnerability details Vulnerability Details When a user deposits to the treasury they first approve the contract and then call its deposit action which performs an ERC20.transferFrom. It's possible for an attacker to frontrun the final deposit transaction after the user approval and....

Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)

The plugin did not sanitise or escape the page parameter before outputting back in an attribute, leading to a reflected Cross-Site Scripting...

Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)

The plugin did not sanitise or escape the page parameter before outputting back in an attribute, leading to a reflected Cross-Site Scripting issue...

WordPress Stripe Payment Gateway for WooCommerce plugin <= 3.5.9 - Reflected Cross-Site Scripting (XSS) vulnerability

Reflected Cross-Site Scripting (XSS) vulnerability discovered in WordPress Stripe Payment Gateway for WooCommerce plugin (versions &lt;= 3.5.9). Solution Update the WordPress Stripe Payment Gateway for WooCommerce plugin to the latest available version (at least...

WordPress GiveWP Plugin < 2.10.4 XSS Vulnerability

The WordPress...

WordPress GiveWP Plugin < 2.10.0 XSS Vulnerability

The WordPress...

Denial Of Service (DoS)

@worker-tools/stripe-webhook is vulnerable to denial of service. The verifyHeader is not an async function in the webhook and causes an error to be thrown after the request has...

constructEvent does not verify header

Impact Anyone verifying a Stripe webhook request via this library's constructEvent function. Patches Upgrade to 1.1.4. Workarounds Use await verifyHeader(...) directly instead of constructEvent. References...

constructEvent does not verify header

Impact Anyone verifying a Stripe webhook request via this library's constructEvent function. Patches Upgrade to 1.1.4. Workarounds Use await verifyHeader(...) directly instead of constructEvent. References...

Cross site scripting

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS...

CVE-2021-24315

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS...

CVE-2021-24315 Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS...

Cross-site Scripting (XSS) - Generic in utmsigep/member-directory

✍️ Description Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️‍♂️ Proof of Concept Donation Creation and Update Donations - New Donation Enter XSS payloads into the fields Last Name, First Name and Receipt ID,...

DarkSide Suffers ‘Oh, Crap!’ Server Shutdowns

DarkSide, the ransomware-as-a-server (RaaS) gang that crippled Colonial Pipeline Co. a week ago, extorted around $5 million, and sent the fuel company a decryption tool that reportedly could barely limp through the process of unlocking files, has now been paralyzed itself. In the wee hours of...

Echelon PII Leak and Disclosure Fail

Echelon (Echelon Fitness) is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton....

DarkSide Wanted Money, Not Disruption from Colonial Pipeline Attack

Threat actors behind last week’s Colonial Pipeline ransomware attack that crippled a major U.S. oil pipeline said that financial gain–not political, economic or social disruption–is the goal of their nefarious activities, vowing to choose their targets more carefully in the future. Join...

Colonial Pipeline's Ransomware Attack Sparks Emergency Declaration

The Biden administration has declared a state of emergency that covers 17 states and Washington D.C. in the wake of the ransomware attack on the Colonial Pipeline Co., and is working with Colonial to restart operations. On Monday morning, FireEye also confirmed to Threatpost that it’s been called.....

Stripe: Object injection in `stripe-billing-typographic` GitHub project via /auth/login

Summary: It is possible to use an object injection failure to achieve a sql injection, where attacker uses the means to bypass authentication, requiring only a valid password within the database. The vulnerable code is: https://github.com/stripe/stripe-billing-typographic For a failure to occur,...

Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues. Notes (WPScanTeam) - The original reporter mentioned the issue being fixed in 2.10.2, but we could still...

Give WP < 2.10.4 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues. Notes (WPScanTeam) - The original reporter mentioned the issue being fixed in 2.10.2, but we could still...

Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF

The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manage_options capability disconnect the Stripe gateway via a CSRF attack. PoC...

Easy Digital Downloads < 2.10.3 - Unauthorised Stripe Disconnect via CSRF

The plugin did not property check for CSRF when disconnecting Stripe, allowing attackers to make logged in users with the manage_options capability disconnect the Stripe gateway via a CSRF...

Cross site scripting

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors...

CVE-2021-24213

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors...

CVE-2021-24213 GiveWP < 2.10.0 - Reflected Cross Site Scripting (XSS)

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.0 was affected by a reflected Cross-Site Scripting vulnerability inside of the administration panel, via the 's' GET parameter on the Donors...

Behind GitHub&#8217;s new authentication token formats

We're excited to share a deep dive into how our new authentication token formats are built and how these improvements are keeping your tokens more secure. As we continue to focus on the security of our platform and services across the web, this update shows how big an impact simple changes can...

CVE-2021-21420

vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context.....

Code injection

vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context.....

CVE-2021-21420

vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context.....

CVE-2021-21420 Vulnerability in Stripe for Visual Studio Code < 1.7.3

vscode-stripe is an extension for Visual Studio Code. A vulnerability in Stripe for Visual Studio Code extension exists when it loads an untrusted source-code repository containing malicious settings. An attacker who successfully exploited the vulnerability could run arbitrary code in the context.....

Fraud Ring Launders Money Via Fake Charity Donations

A money-laundering fraud ring is targeting donation sites, taking advantage of the outpouring of charity sparked by the global pandemic. Dubbed Cart Crasher by the Sift security firm, the fraud ring leverages guest checkout options on donation sites to steal money and launder stolen payment cards.....