Accept Stripe Donation – AidWP Security Vulnerabilities

Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation

Description The Give - Donation Plugin plugin for WordPress is vulnerable to privilege escalation due to an insufficient capability check when updating default roles in versions up to, and including, 2.33.0. This makes it possible for authenticated attackers with Give Manager privileges to elevate....

GiveWP < 2.33.2 - Missing Authorization via handleBeforeGateway

Description The GiveWP plugin for WordPress is vulnerable to unauthorized donation form access due to a missing check on the handleBeforeGateway function that would ensure that a donation form can be used and is not trashed in versions up to, and including, 2.33.1. There is no real security...

GiveWP < 2.33.4 - Cross-Site Request Forgery to Stripe Integration Deletion

Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers....

Stripe Gateway < 7.6.1 - Cross-Site Request Forgery

Description The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 (exclusive). This is due to missing or incorrect nonce validation on the maybe_handle_redirect function. This makes it possible for unauthenticated...

Consumer cyberthreats: predictions for 2024

In our previous summary of consumer predictions, we delved into tactics that we expected scammers and cybercriminals to use in 2023. As anticipated, they capitalized on major events and cultural crazes, using tricks that ranged from fake Barbie doll deals to exploiting the buzz around long-awaited....

WP Full Stripe Free <= 1.6.1 - Cross-Site Request Forgery

Description The WP Full Stripe Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation via several functions in the ~/include/wp-full-stripe-admin-menu.php file. This makes it possible for...

Quill Forms < 3.4.0 - Cross-Site Request Forgery

Description The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.0. This is due to missing or...

CVE-2023-47816

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

CVE-2023-47816 WordPress Charitable Plugin <= 1.7.0.13 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

Arbitrary Price Manipulation

vendure is vulnerable to Arbitrary Price Manipulation. The vulnerability is due to the ability to specify an arbitrary currencyCode as a query parameter to an API call, allowing users to select any currencyCode and thus payments made through Mollie and Stripe in that particular currencyCode are...

Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

By Deeba Ahmed Scammers taking advantage of a humanitarian crisis? Well, who saw that coming... This is a post from HackRead.com Read the original post: Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation...

CVE-2023-47667

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

CVE-2023-47667 WordPress WP Full Stripe Free Plugin <= 1.6.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

@vendure/core's insecure currencyCode handling allows wrong payment amounts

Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...

@vendure/core's insecure currencyCode handling allows wrong payment amounts

Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th. Last week,...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...

Malicious code in stripe-terminal-react-native-dev-app (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (148f318d6453b35d5563824a26fe185c3df7e96f1a4f12089adbbb556e867459) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023)

Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities....

CVE-2023-44484

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

Cross site scripting

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

CVE-2023-44484 Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

StakedUSDe contract allows attackers to steal staked USDe tokens of soft-restricted users

Lines of code Vulnerability details Description The modifier called _checkMinShares() that is used to ensure that there is always a small non-zero amount of shares in circulation. This is to prevent a donation attack, where an attacker donates a small amount of USDe tokens to the contract and then....

Shares Manipulation DoS Vulnerability in StakedUSDe

Lines of code https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L190-L194 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225-L239 Vulnerability details Impact The StakedUSDe contract is vulnerable to manipulation by a malicious actor,....

DoS of the staking functionality due to the check of minimum total supply

Lines of code https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L138-L141 Vulnerability details Impact The StakedUSDe contract can be accidentally blocked if the all shares will be redeemed before the VESTING_PERIOD end. The...

Malicious user can completely prevent all users or users without large funds from staking

Lines of code Vulnerability details Vulnerability Details To prevent the issue with the first-depositor attack (donation attack as written in the comments of _checkMinShares in StakedUSDe.sol) to the staking vault, the _checkMinShares function is implemented in the StakedUSDe.sol contract when...

In for a penny, in for ten quadrillion dollars

Lines of code Vulnerability details Impact StakedUSDeV2 can be bricked for a penny. Proof of concept The _checkMinShares() requirement called after any deposit (and withdrawal) function _checkMinShares() internal view { uint256 _totalSupply = totalSupply(); if (_totalSupply &gt; 0 &&...

WP Full Stripe Free <= 1.6.1 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)

Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

CVE-2023-46088

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

Cross site scripting

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

CVE-2023-46088 WordPress WP Full Stripe Free Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

M-08 Unmitigated

Lines of code Vulnerability details Lines of code Vulnerability details Mitigation of M-08: Issue mitigated with ERROR Mitigated issue M-08: Inflation attack in VotiumStrategy The issue was that the price of afEth and of vAfEth could be inflated by donating underlying assets. Mitigation review All....

CVE-2023-4975

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to...

Cross site request forgery (csrf)

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to...

CVE-2023-4975

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)

Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress...

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz (Threatray) · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to....

Discord, I Want to Play a Game

Discord, I Want to Play a Game By Ernesto Fernández Provecho and David Pastor Sanz (Threatray) · October 16, 2023 Discord is the first choice for gamers when they want to chat with some friends while playing an online computer game. Moreover, it is also a major choice for users that simply want to....

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Python Urllib3

PoC Example of how CVE-2023-43804 works with real python...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Python Urllib3

PoC Example of how CVE-2023-43804 works with real python...

Exploit for Improper Input Validation in Python

Intro The URL parsing functions focus on splitting a URL...

Exploit for Improper Input Validation in Python

Intro The URL parsing functions focus on splitting a URL...

Exploit for Untrusted Search Path in Python

Intro Python 3.11 through 3.11.4, there's a problem with the...

Exploit for Untrusted Search Path in Python

Intro Python 3.11 through 3.11.4, there's a problem with the...

Red Cross-Themed Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors

A new threat actor known as AtlasCross has been observed leveraging Red Cross-themed phishing lures to deliver two previously undocumented backdoors named DangerAds and AtlasAgent. NSFOCUS Security Labs described the adversary as having a "high technical level and cautious attack attitude," adding....

Essential Guide to Cybersecurity Compliance

SOC 2, ISO, HIPAA, Cyber Essentials – all the security frameworks and certifications today are an acronym soup that can make even a compliance expert's head spin. If you're embarking on your compliance journey, read on to discover the differences between standards, which is best for your business,....

iPhone 15 launch: Wonderlust scammers rear their heads

Yesterday, Apple launched its latest iPhone and Watch models at its massive Wonderlust event. As with many high profile launches like this, it attracted not just a mountain of press, but a whole load of scammers too. One site uses the Apple brand to host a cryptocurrency scam. The hook is a...