Accept Stripe Donation – AidWP Security Vulnerabilities

The effects of climate change on cybersecurity

Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however,.....

Node.js third-party modules: [express-cart] Wide CSRF in application

NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report CSRF in...

Nord Security: Hard-coded API keys at NordVpn Android App

Hello NordVpn, APK Version : 4.6.2 API'S at res/values/strings.xml Google google_api_key = AIzaSyBySEqk7_WWee9bxpw5BM1eJeUx1TWdH_E Stripe stripe_publishable_api_key = pk_live_j1Mt911wyZwAhATA9TYdA8q2 Referance; https://stripe.com/docs/keys Impact Cleartext Storage of Sensitive...

Battling online coronavirus scams with facts

Panic and confusion about the recent coronavirus outbreak spurred threat actors to launch several malware campaigns across the world, relying on a tried-and-true method to infect people’s machines: fear. Cybercriminals targeted users in Japan with an Emotet campaign that included malicious Word...

Happy New Fear! Gift-wrapped spam and phishing

Pre-holiday spam Easy money In the run-up to Christmas and New Year, scam е-mails mentioning easy pickings, lottery winnings, and other cash surprises are especially popular. All the more so given how simple it is to adapt existing schemes simply by mentioning the holiday in the subject line. For.....

Dropbox Passes $1M Milestone for Bug-Bounty Payouts

Dropbox, the cloud-based file-sharing service, has reported that it has paid out more than $1 million to bug-bounty hunters since starting its program in 2014. The milestone comes after the service tripled its bounties in 2017, and after running two live hacking events with the HackerOne platform.....

Accusoft ImageGear TIFF TIF_read_stripdata code execution vulnerability

Summary An exploitable out-of-bounds write vulnerability exists in the TIF_read_stripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file file can cause an out-of-bounds write, resulting in a remote code execution. An attacker needs to provide a...

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen...

CredNinja - A Multithreaded Tool Designed To Identify If Credentials Are Valid, Invalid, Or Local Admin Valid Credentials Within A Network At-Scale Via SMB, Plus Now With A User Hunter

This tool is intended for penetration testers who want to perform an engagement quickly and efficiently. While this tool can be used for more covert operations (including some additions below), it really shines when used at the scale of a large network. At the core of it, you provide it a list...

Stripo Inc: Information disclosure through Server side resource forgery

Summary: The application https://my.stripo.email has a template feature where can we can enter html code. By including an iframe in the html template, I was able to make a call to my server. This exposed an internally running web application. Please refer below, 63.33.82.168 - -...

Card Skimmer Hits Australian Bushfire Donation Site

Concerned global citizens making donations to help fight the massive Australia bushfires have been caught up in a Magecart attack, after one of the groups implanted a payment-card skimmer on the check-out page of a legitimate online donation site. Researchers ran across the Magecart script, named.....

Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline

Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance,...

Data Breach Affects 63 Landry's Restaurants

Dining giant Landry’s disclosed a data breach, Thursday, warning that malware had infected its order-entry systems to steal customers’ payment card information. Landry’s, which owns over 600 popular American restaurants across 35 states, such as Del Frisco’s Grill, McCormick & Schmick’s,...

Landry's Restaurant Chain Suffers Payment Card Theft Via PoS Malware

Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale (POS) systems that allowed cybercriminals to steal customers' payment card information. Landry's owns and operates more than 600 bars, restaurants, hotels, casinos, food and beverage...

WordPress Donorbox plugin 7.1-7.1.1 - Stored Cross-Site Scripting (XSS) via plugin shortcode

Stored Cross-Site Scripting (XSS) found by Sybre Waaijer in WordPress Donorbox plugin (versions 7.1-7.1.1). Solution Update the WordPress Donorbox plugin to the latest available version (at least...

Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode

In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. This vulnerability was introduced in v7.1 and fixed in v7.1.2. PoC [donate url='/?" autofocus onfocus="alert(window)"...

FIN8 Targets Card Data at Fuel Pumps

The notorious FIN8 cybercrime group has a new target when it comes to skimming payment-card details from consumers: Point-of-sale (PoS) systems used at fuel pumps at gas stations. Visa warned this week in a public alert posted online that its Payment Fraud Disruption (PFD) department has seen at...

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground's largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different...

Mozilla Bug Bounty Program Doubles Payouts, Adds Firefox Monitor

Mozilla is bumping up its bug bounty payouts and has added new websites and services – including the recently deployed Firefox Monitor– to its bug bounty program in hopes of attracting more researchers to sniff out vulnerabilities. The browser-maker is doubling bug bounty payouts for most of its...

A week in security (October 28 – November 3)

Last week on Malwarebytes Labs, we celebrated the birth of the Internet 50 years ago, highlighted reports about the US Federal Trade Commission (FTC) filing a case against stalkerware developer Retina-X, issued a PSI on disaster donation scams, looked at the top cybersecurity challenged SMBs face,....

CVE-2019-16251

plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options...

WordPress YITH WooCommerce Stripe plugin <=2.0.1 - Authenticated Settings Change (YITH Plugin Framework <=3.3.8) vulnerability

Authenticated Settings Change (YITH Plugin Framework &lt;=3.3.8) vulnerability found by Jerome Bruandet in WordPress YITH WooCommerce Stripe plugin &lt;=2.0.1. Solution Update the WordPress YITH WooCommerce Stripe plugin to the latest available version (at least...

YIT Plugin Framework <= 3.3.8 - Authenticated Plugin's Settings Change

...

Help prevent disaster donation scams from causing more misery

It’s a sad day when we have to warn people about medical charity scams, or tax fakeouts, or even have a week dedicated to foiling charity fraud—but here we are. With so many natural disasters occurring, from wildfires in California to tornadoes in Dallas, disaster donation scams remain a top...

Takeaways from the $566M BriansClub breach

Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world's largest financial institutions tend to have a much better idea of which merchants and bank cards have been...

CVE-2015-9529

The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...

CVE-2015-9529

The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...

Design/Logic Flaw

The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...

CVE-2015-9529

The Easy Digital Downloads (EDD) Stripe extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is...

“BriansClub” Hack Rescues 26M Stolen Cards

"BriansClub," one of the largest underground stores for buying stolen credit card data, has itself been hacked. The data stolen from BriansClub encompasses more than 26 million credit and debit card records taken from hacked online and brick-and-mortar retailers over the past four years, including....

Mapping the Attack Surface of an Airport

Aviation security is a complex environment. What first sparked my interest in avionics security was a comment from an airport customer of ours. They had seen the media coverage of the DHS work against a Boeing 757 a few years ago and were concerned that an ‘infected’ airplane might create a fresh.....

This Week in Security News: IoT Devices Are a Target in Cybercriminal Underground

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how fileless malware abuses PowerShell. Also, read how Trend Micro researchers are pulling back the curtain on the cybercriminal...

gitGraber - Tool To Monitor GitHub To Search And Find Sensitive Data For Different Online Services Such As: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe...

gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data for different online services such as: Google, Amazon, Paypal, Github, Mailgun, Facebook, Twitter, Heroku, Stripe... How it work ? It's important to understand that gitGraber is not designed to check...

CVE-2018-21011

The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...

CVE-2018-21011

The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...

Design/Logic Flaw

The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...

CVE-2018-21011

The charitable plugin before 1.5.14 for WordPress has unauthorized access to user and donation...

CVE-2015-9374

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...

CVE-2015-9374

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...

Design/Logic Flaw

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...

CVE-2015-9374

Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS via add_query_arg() and...

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the....

Talos DEFCON badge build instructions and use

By Patrick Mullen. We want to thank everyone who stopped by the Cisco Talos booth at DEFCON's Blue Team Village earlier this month. We handed out these badges at our area where we had Snort rules challenges, reverse-Capture the Flag and recruiters ready to answer attendees' career advice...

El Paso and Dayton Tragedy-Related Scams and Malware Campaigns

In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to....

New Facebook ad reporting tool launches in UK

Last year, well-known consumer advice expert Martin Lewis decided to take Facebook to court for defamation. The cause? Multiple bogus adverts placed on the social network featuring his likeness, appearing via the ad network Outbrain. As a trusted face in consumer causes, scammers bolting Lewis'...

Steer clear of Bitcoin Cash generators

Here’s an interesting evolution on a well-worn scam, taking one profit generating fakeout and turning it into something else entirely. For years, gamers have been stuck navigating the treacherous waters of fake video game giveaways. With so many actual genuine gaming giveaways around, you’re never....

Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS

Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation notice PoC...

Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS

Reflected XSS in the base64 encoded fwurl parameter when the plugin has been used for 30 days and shows a donation...

Hackers Stole Customers' Credit Cards from 103 Checkers and Rally's Restaurants

If you have swiped your payment card at the popular Checkers and Rally's drive-through restaurant chains in past 2-3 years, you should immediately request your bank to block your card and notify it if you notice any suspicious transaction. Checkers, one of the largest drive-through restaurant...

POS Malware Found at 102 Checkers Restaurant Locations

The popular Checkers and Rally’s drive-through restaurant chain was attacked by Point of Sale (POS) malware impacting 15 percent of its stores across the U.S. Checkers is one of the largest drive-through restaurants in the U.S., operating in 28 states and headquartered in Tampa, Florida. The...