Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)
Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.9CVSS
8.1AI Score
EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...
8.8CVSS
8.7AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...
8.8CVSS
6.5AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...
8.8CVSS
8.7AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin <= 1.9.3...
5.4CVSS
9AI Score
0.001EPSS
First liquidity provider can break minting of shares
Lines of code Vulnerability details Impact The attack vector and impact is that users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. Proof of Concept The attack vector and impact is that users may not receive shares.....
6.8AI Score
TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds
Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift() function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function (update()) with...
6.9AI Score
tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...
9.1CVSS
9.1AI Score
0.001EPSS
tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...
9.1CVSS
6.8AI Score
0.001EPSS
tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...
9.1CVSS
7.9AI Score
0.001EPSS
tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...
9.1CVSS
9AI Score
0.001EPSS
CVE-2023-36817 The King's Temple Church website Leaked Stripe API Key in Public Code Repository
tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...
7.5CVSS
9.4AI Score
0.001EPSS
WooCommerce Stripe Payment Gateway Plugin for WordPress < 7.4.1 Insecure Direct Object Reference
The WordPress WooCommerce Stripe Payment Gateway Plugin installed on the remote host is affected by an Insecure Direct Object Reference leading to Personally Identifiable Information Disclosure. Note that the scanner has not tested for these issues but has instead relied only on the application's.....
7AI Score
WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update
The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 PoC Affected functions: create_payment_intent_ajax update_payment_intent_ajax save_upe_appearance_ajax update_order_status_ajax...
6.4AI Score
EPSS
WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update
The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of...
6.5AI Score
EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)
Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
8.8CVSS
7.5AI Score
0.005EPSS
WordPress WooCommerce Stripe Payment Gateway Plugin < 7.4.1 IDOR Vulnerability
The WordPress...
7.5CVSS
7.1AI Score
0.001EPSS
Lines of code Vulnerability details Mitigation of M-10: Issue NOT mitigated Mitigated issue M-10: First 1 wei deposit can produce lose of user xETH funds in wxETH Fix: code-423n4/2023-05-xeth@fbb2972 The issue is similar to the standard inflation attack, except that instead of the attacker's...
6.6AI Score
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1...
8.8CVSS
6.5AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1...
8.8CVSS
8.8AI Score
0.001EPSS
CVE-2023-25450 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin <= 2.25.1...
5.4CVSS
9.4AI Score
0.001EPSS
Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin
A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as CVE-2023-34000, impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which...
6AI Score
0.001EPSS
Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0...
7.5CVSS
7.5AI Score
0.001EPSS
Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0...
7.5CVSS
7.5AI Score
0.001EPSS
Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0...
7.5CVSS
7.5AI Score
0.001EPSS
Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0...
7.5CVSS
7.7AI Score
0.001EPSS
WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR
The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and address PoC As unauthenticated, see the source of...
7.5CVSS
7.3AI Score
0.001EPSS
WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR
The plugin does not ensure that the order details to be displayed belongs to the user making the request, allows unauthenticated users to access sensitive information about the reorder details such as first/last names, email and...
7.5CVSS
7.6AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)
Last week, there were 116 vulnerabilities disclosed in 88 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 35 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
9.8CVSS
8.7AI Score
EPSS
How to Configure a Custom Text Banner for the Veeam Backup & Replication Console
This article documents enabling and configuring the "Classified Stripe," a feature that can be configured to prominently display a banner in all Veeam Backup & Replication Consoles that connect to the Veeam Backup Server, including remote...
6.8AI Score
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a...
8.8CVSS
8.8AI Score
0.004EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....
5.4CVSS
5.8AI Score
0.004EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....
6.5CVSS
6.4AI Score
0.001EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....
6.4CVSS
5.3AI Score
0.004EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....
6.5CVSS
6AI Score
0.001EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....
5.4CVSS
5.1AI Score
0.004EPSS
Cross site request forgery (csrf)
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....
6.5CVSS
6.1AI Score
0.001EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing nonce validation in the ls_parse_vcita_callback() function....
6.1CVSS
6.3AI Score
0.001EPSS
The Event Registration Calendar By vcita plugin, versions up to and including 3.9.1, and Online Payments – Get Paid with PayPal, Square & Stripe plugin, for WordPress are vulnerable to Stored Cross-Site Scripting via the 'email' parameter in versions up to, and including, 1.3.1 due to insufficient....
6.4CVSS
5.9AI Score
0.004EPSS
Initially reported at https://github.com/stripe/veneur/issues/1058. Since that report, the repository's sidebar has been updated to no longer link to the uncontrolled domain. Many of the 179 forks of this repository still contain the link to the uncontrolled domain. Summary: The...
6.9AI Score
ChatGPT: Cybersecurity friend or foe?
If you haven't heard about ChatGPT yet, perhaps you've just been thawed from cryogenic slumber or returned from six months off the grid. ChatGPT--the much-hyped, artificial intelligence (AI) chatbot that provides human-like responses from an enormous knowledge base--has been embraced practically...
7.1AI Score
Malicious code in stripe-terminal-react-native (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (0e3b17da38297fec9219b0316809efc9980ec6945104c9cada84571ffbfb2192) The OpenSSF Package Analysis project identified 'stripe-terminal-react-native' @ 999.99.99 (npm) as malicious. It is considered malicious because:.....
7.1AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)
Last week, there were 139 vulnerabilities disclosed in 105 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 47 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities.....
9.8CVSS
8.2AI Score
EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023)
Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 27 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.8CVSS
8.9AI Score
EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.10...
6.1CVSS
6.2AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.10...
7.1CVSS
6AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.10...
6.1CVSS
6AI Score
0.0005EPSS
CVE-2022-47441 WordPress Charitable Plugin <= 1.7.0.10 is vulnerable to Cross Site Scripting (XSS)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.10...
7.1CVSS
6.3AI Score
0.0005EPSS
Malicious code in stripe-deep-dup-tree (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (29790a4dda8ea513434302f82a02b4ef9cb90fa0b9e63de804082d284c8cb989) The OpenSSF Package Analysis project identified 'stripe-deep-dup-tree' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score