Accept Stripe Donation – AidWP Security Vulnerabilities

WooCommerce Stripe Payment Gateway < 7.6.2 - Unauthenticated Order Deletion via IDOR

Description The plugin doe snot properly check for ownership of completed/pending orders, allowing unauthenticated users to put such order in the trash and delete...

WordPress GiveWP Plugin < 2.26.0 PHP Object Injection Vulnerability

The WordPress...

CVE-2023-32513

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2023-32513

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

Deserialization of untrusted data

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2023-32513 WordPress GiveWP Plugin <= 2.25.3 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2023-32128

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....

CVE-2023-32128

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....

Sql injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....

CVE-2023-32128 WordPress Cryptocurrency Donation Box – Bitcoin & Crypto Donations Plugin <= 2.2.7 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in.....

CVE-2022-40312

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2022-40312

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

Server side request forgery (ssrf)

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

CVE-2022-40312 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Server Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through...

Liberapay: Avatar URL is exposed in patron export for secret donations

When user sets their donation Privacy level to "Secret" they are indicating that they don't want to be identified by the donation recipient. By exporting the patron_avatar_url, in https://liberapay.com/&lt;account_name&gt;/patrons/export.csv, the user might be exposed just by doing a reverse image....

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence...

Exploit for CVE-2023-40626

THIS REPO IS OBSOLETE AND YOU SHOULD USE THIS ONE INSTEAD:...

Accept Stripe Payments < 2.0.80 - Insecure Direct Object Reference

Description The Stripe Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_create_pi() function in versions up to, and including, 2.0.79. This makes it possible for unauthenticated attackers to purchase products in...

Give - Donation Plugin < 2.33.1 - Authenticated(Give Manager+) Privilege Escalation

Description The Give - Donation Plugin plugin for WordPress is vulnerable to privilege escalation due to an insufficient capability check when updating default roles in versions up to, and including, 2.33.0. This makes it possible for authenticated attackers with Give Manager privileges to elevate....

GiveWP < 2.33.2 - Missing Authorization via handleBeforeGateway

Description The GiveWP plugin for WordPress is vulnerable to unauthorized donation form access due to a missing check on the handleBeforeGateway function that would ensure that a donation form can be used and is not trashed in versions up to, and including, 2.33.1. There is no real security...

GiveWP < 2.33.4 - Cross-Site Request Forgery to Stripe Integration Deletion

Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers....

Stripe Gateway < 7.6.1 - Cross-Site Request Forgery

Description The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 7.6.1 (exclusive). This is due to missing or incorrect nonce validation on the maybe_handle_redirect function. This makes it possible for unauthenticated...

Consumer cyberthreats: predictions for 2024

In our previous summary of consumer predictions, we delved into tactics that we expected scammers and cybercriminals to use in 2023. As anticipated, they capitalized on major events and cultural crazes, using tricks that ranged from fake Barbie doll deals to exploiting the buzz around long-awaited....

WP Full Stripe Free <= 1.6.1 - Cross-Site Request Forgery

Description The WP Full Stripe Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation via several functions in the ~/include/wp-full-stripe-admin-menu.php file. This makes it possible for...

Quill Forms < 3.4.0 - Cross-Site Request Forgery

Description The Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.0. This is due to missing or...

CVE-2023-47816

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

CVE-2023-47816

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

CVE-2023-47816 WordPress Charitable Plugin <= 1.7.0.13 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin &lt;= 1.7.0.13...

Arbitrary Price Manipulation

vendure is vulnerable to Arbitrary Price Manipulation. The vulnerability is due to the ability to specify an arbitrary currencyCode as a query parameter to an API call, allowing users to select any currencyCode and thus payments made through Mollie and Stripe in that particular currencyCode are...

Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation Scam

By Deeba Ahmed Scammers taking advantage of a humanitarian crisis? Well, who saw that coming... This is a post from HackRead.com Read the original post: Crypto Scammers Exploit Gaza Crisis, Deceiving Users in Donation...

CVE-2023-47667

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

CVE-2023-47667

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

CVE-2023-47667 WordPress WP Full Stripe Free plugin <= 7.0.16 - Cross Site Request Forgery (CSRF) vulnerability on every Setting Save

Cross-Site Request Forgery (CSRF) vulnerability in Mammothology WP Full Stripe Free.This issue affects WP Full Stripe Free: from n/a through...

@vendure/core's insecure currencyCode handling allows wrong payment amounts

Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...

@vendure/core's insecure currencyCode handling allows wrong payment amounts

Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel) and pay through Mollie and Stripe in that particular currencyCode. The prices are not transformed. The result is the Order is in Payment Settled in the...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 6, 2023 to November 12, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Please note there was a minor error in the heading of the email, and this report only runs from November 6th to November 12th. Last week,...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 30, 2023 to November 5, 2023)

Wordfence just launched its bug bounty program. Over the next 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 79 vulnerabilities disclosed in 64 WordPress Plugins and no WordPress themes that have been added to the Wordfence...

Malicious code in stripe-terminal-react-native-dev-app (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (148f318d6453b35d5563824a26fe185c3df7e96f1a4f12089adbbb556e867459) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Wordfence Intelligence Weekly WordPress Vulnerability Report (October 23, 2023 to October 29, 2023)

Last week, there were 109 vulnerabilities disclosed in 102 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities....

CVE-2023-44484

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

CVE-2023-44484

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

Cross site scripting

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

CVE-2023-44484 Online Blood Donation Management System v1.0 - Stored Cross-Site Scripting (XSS)

Online Blood Donation Management System v1.0 is vulnerable to a Stored Cross-Site Scripting vulnerability. The 'firstName' parameter of the users/register.php resource is copied into the users/member.php document as plain text between tags. Any input is echoed unmodified in the users/member.php...

StakedUSDe contract allows attackers to steal staked USDe tokens of soft-restricted users

Lines of code Vulnerability details Description The modifier called _checkMinShares() that is used to ensure that there is always a small non-zero amount of shares in circulation. This is to prevent a donation attack, where an attacker donates a small amount of USDe tokens to the contract and then....

Shares Manipulation DoS Vulnerability in StakedUSDe

Lines of code https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L190-L194 https://github.com/code-423n4/2023-10-ethena/blob/main/contracts/StakedUSDe.sol#L225-L239 Vulnerability details Impact The StakedUSDe contract is vulnerable to manipulation by a malicious actor,....

Malicious user can completely prevent all users or users without large funds from staking

Lines of code Vulnerability details Vulnerability Details To prevent the issue with the first-depositor attack (donation attack as written in the comments of _checkMinShares in StakedUSDe.sol) to the staking vault, the _checkMinShares function is implemented in the StakedUSDe.sol contract when...

DoS of the staking functionality due to the check of minimum total supply

Lines of code https://github.com/code-423n4/2023-10-ethena/blob/ee67d9b542642c9757a6b826c82d0cae60256509/contracts/StakedUSDe.sol#L138-L141 Vulnerability details Impact The StakedUSDe contract can be accidentally blocked if the all shares will be redeemed before the VESTING_PERIOD end. The...

In for a penny, in for ten quadrillion dollars

Lines of code Vulnerability details Impact StakedUSDeV2 can be bricked for a penny. Proof of concept The _checkMinShares() requirement called after any deposit (and withdrawal) function _checkMinShares() internal view { uint256 _totalSupply = totalSupply(); if (_totalSupply &gt; 0 &&...