WooCommerce Stripe Payment Gateway < 7.6.2 - Unauthenticated Order Deletion via IDOR
Description The plugin doe snot properly check for ownership of completed/pending orders, allowing unauthenticated users to put such order in the trash and delete...
9.8CVSS
7.2AI Score
0.001EPSS
9.8CVSS
7AI Score
0.001EPSS
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
9.8CVSS
9.4AI Score
0.001EPSS
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
9.8CVSS
0.001EPSS
Deserialization of untrusted data
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
9.8CVSS
7.1AI Score
0.001EPSS
CVE-2023-32513 WordPress GiveWP Plugin <= 2.25.3 is vulnerable to PHP Object Injection
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
7.5CVSS
9.7AI Score
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
7.4AI Score
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
7.2CVSS
8AI Score
0.001EPSS
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....
5.5CVSS
7.6AI Score
0.001EPSS
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
6.5CVSS
6.5AI Score
0.0005EPSS
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
6.5CVSS
0.0005EPSS
Server side request forgery (ssrf)
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
6.5CVSS
7.2AI Score
0.0005EPSS
CVE-2022-40312 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Server Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...
5.5CVSS
6.7AI Score
0.0005EPSS
Liberapay: Avatar URL is exposed in patron export for secret donations
When user sets their donation Privacy level to "Secret" they are indicating that they don't want to be identified by the donation recipient. By exporting the patron_avatar_url, in https://liberapay.com/<account_name>/patrons/export.csv, the user might be exposed just by doing a reverse image....
7.1AI Score
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence...
9.8CVSS
10AI Score
EPSS
THIS REPO IS OBSOLETE AND YOU SHOULD USE THIS ONE INSTEAD:...
7.7AI Score
Accept Stripe Payments < 2.0.80 - Insecure Direct Object Reference
Description The Stripe Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_create_pi() function in versions up to, and including, 2.0.79. This makes it possible for unauthenticated attackers to purchase products in...
6.9AI Score
EPSS
Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation
Description The Give - Donation Plugin plugin for WordPress is vulnerable to privilege escalation due to an insufficient capability check when updating default roles in versions up to, and including, 2.33.0. This makes it possible for authenticated attackers with Give Manager privileges to elevate....
7AI Score
0.0004EPSS
GiveWP < 2.33.2 - Missing Authorization via handleBeforeGateway
Description The GiveWP plugin for WordPress is vulnerable to unauthorized donation form access due to a missing check on the handleBeforeGateway function that would ensure that a donation form can be used and is not trashed in versions up to, and including, 2.33.1. There is no real security...
7AI Score
EPSS
GiveWP < 2.33.4 - Cross-Site Request Forgery to Stripe Integration Deletion
Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers....
4.3CVSS
6.6AI Score
0.001EPSS
Stripe Gateway < 7.6.1 - Cross-Site Request Forgery
Description The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 (exclusive). This is due to missing or incorrect nonce validation on the maybe_handle_redirect function. This makes it possible for unauthenticated...
6.6AI Score
0.0004EPSS
Consumer cyberthreats: predictions for 2024
In our previous summary of consumer predictions, we delved into tactics that we expected scammers and cybercriminals to use in 2023. As anticipated, they capitalized on major events and cultural crazes, using tricks that ranged from fake Barbie doll deals to exploiting the buzz around long-awaited....
7.3AI Score
WP Full Stripe Free <= 1.6.1 - Cross-Site Request Forgery
Description The WP Full Stripe Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation via several functions in the ~/include/wp-full-stripe-admin-menu.php file. This makes it possible for...
8.8CVSS
6.4AI Score
0.001EPSS
Quill Forms < 3.4.0 - Cross-Site Request Forgery
Description The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.0. This is due to missing or...
6.7AI Score
EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13...
6.5CVSS
5.5AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13...
5.4CVSS
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13...
5.4CVSS
7.1AI Score
0.0004EPSS
CVE-2023-47816 WordPress Charitable Plugin <= 1.7.0.13 is vulnerable to Cross Site Scripting (XSS)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13...
6.5CVSS
6.7AI Score
0.0004EPSS
vendure is vulnerable to Arbitrary Price Manipulation. The vulnerability is due to the ability to specify an arbitrary currencyCode as a query parameter to an API call, allowing users to select any currencyCode and thus payments made through Mollie and Stripe in that particular currencyCode are...
7AI Score
Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam
By Deeba Ahmed Scammers taking advantage of a humanitarian crisis? Well, who saw that coming... This is a post from HackRead.com Read the original post: Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation...
7.4AI Score
Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...
8.8CVSS
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...
8.8CVSS
8.6AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...
8.8CVSS
7.2AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...
4.3CVSS
8.9AI Score
0.001EPSS
@vendure/core's insecure currencyCode handling allows wrong payment amounts
Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...
7.2AI Score
@vendure/core's insecure currencyCode handling allows wrong payment amounts
Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...
7.2AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)
Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th. Last week,...
8.8CVSS
9.7AI Score
EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)
Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...
9.8CVSS
10AI Score
EPSS
Malicious code in stripe-terminal-react-native-dev-app (npm)
-= Per source details. Do not edit below this line.=- Source: ghsa-malware (148f318d6453b35d5563824a26fe185c3df7e96f1a4f12089adbbb556e867459) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
7.2AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023)
Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities....
9.8CVSS
9.9AI Score
EPSS
Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...
6.1CVSS
5.8AI Score
0.0005EPSS
Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...
6.1CVSS
5.9AI Score
0.0005EPSS
Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...
6.1CVSS
5.8AI Score
0.0005EPSS
CVE-2023-44484 Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)
Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...
6.1CVSS
6AI Score
0.0005EPSS
StakedUSDe contract allows attackers to steal staked USDe tokens of soft-restricted users
Lines of code Vulnerability details Description The modifier called _checkMinShares() that is used to ensure that there is always a small non-zero amount of shares in circulation. This is to prevent a donation attack, where an attacker donates a small amount of USDe tokens to the contract and then....
6.9AI Score
Shares Manipulation DoS Vulnerability in StakedUSDe
Lines of code https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L190-L194 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225-L239 Vulnerability details Impact The StakedUSDe contract is vulnerable to manipulation by a malicious actor,....
6.9AI Score
Malicious user can completely prevent all users or users without large funds from staking
Lines of code Vulnerability details Vulnerability Details To prevent the issue with the first-depositor attack (donation attack as written in the comments of _checkMinShares in StakedUSDe.sol) to the staking vault, the _checkMinShares function is implemented in the StakedUSDe.sol contract when...
6.8AI Score
DoS of the staking functionality due to the check of minimum total supply
Lines of code https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L138-L141 Vulnerability details Impact The StakedUSDe contract can be accidentally blocked if the all shares will be redeemed before the VESTING_PERIOD end. The...
6.9AI Score
In for a penny, in for ten quadrillion dollars
Lines of code Vulnerability details Impact StakedUSDeV2 can be bricked for a penny. Proof of concept The _checkMinShares() requirement called after any deposit (and withdrawal) function _checkMinShares() internal view { uint256 _totalSupply = totalSupply(); if (_totalSupply > 0 &&...
6.9AI Score