CVE-2022-3986 WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The WP Stripe Checkout WordPress plugin before 1.2.2.21 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...
5.4AI Score
0.001EPSS
Early user can break the minting of LP Tokens
Lines of code Vulnerability details Impact The attack vector is the same as TOB-YEARN-003, where users may not receive liquidity tokens in exchange for their baseTokenAmount and fractionalTokenAmount deposited if the total baseTokenAmount has been manipulated through a large “donation”. In the...
6.8AI Score
First depositor can break minting of shares
Lines of code Vulnerability details Impact The attack vector and impact is the same as TOB-YEARN-003, where users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. Proof of Concept In Pair.add(), the amount of LP token.....
6.7AI Score
Stripe: Possible XSS vulnerability without a content security bypass
Summary: Hi security team members, Hope you are well and doing great :) I found a Possible XSS vulnerability in https://dashboard.stripe.com but I was not able to bypass a content security policy. Although, I don't have much knowledge about CSP and its bypasses. But, I read that you accept the XSS....
6AI Score
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send...
4.3CVSS
4.8AI Score
0.001EPSS
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send...
4.3CVSS
4.7AI Score
0.001EPSS
The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting...
5.4CVSS
5.2AI Score
0.001EPSS
The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting...
5.4CVSS
5.3AI Score
0.001EPSS
CVE-2022-4004 Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
The Donation Button WordPress plugin through 4.0.0 does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send...
4.8AI Score
0.001EPSS
CVE-2022-4005 Donation Button <= 4.0.0 - Contributor+ Stored XSS
The Donation Button WordPress plugin through 4.0.0 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting...
5.4AI Score
0.001EPSS
Ho, ho, no! Scams to avoid this festive season
Whether you've been naughty or nice, someone will try and stuff a scam down your chimney either way. The FBI is warning of several likely ways to be parted from your funds or logins, and we're going to give some additional context along with tips to avoid these digital lumps of coal. Social media.....
-0.3AI Score
Auth. Stored Cross-Site Scripting (XSS) vulnerability discovered by Lana Codes in WordPress WP Stripe Checkout plugin (versions <= 1.2.2.20). Solution Update the WordPress WP Stripe Checkout plugin to the latest available version (at least...
2.1AI Score
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks PoC As a contributor, put the following shortcode in a page/post...
5.4CVSS
1.9AI Score
WP Stripe Checkout < 1.2.2.21 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...
5.4CVSS
1.1AI Score
Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
The plugin does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone...
4.3CVSS
0.8AI Score
Donation Button <= 4.0.0 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting...
5.4CVSS
0.8AI Score
Donation Button <= 4.0.0 - Contributor+ Stored XSS
The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. PoC Put the following shortcode in a blog post: [paypal_donation_button align='center"...
5.4CVSS
2.5AI Score
Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam
The plugin does not properly check for privileges and nonce tokens in its "donation_button_twilio_send_test_sms" AJAX action, which may allow any users with an account on the affected site, like subscribers, to use the plugin's Twilio integration to send SMSes to arbitrary phone numbers. PoC While....
4.3CVSS
2.5AI Score
Unbreakable Enterprise kernel security update
[4.14.35-2047.519.2.1] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...
7.8CVSS
-0.1AI Score
Unbreakable Enterprise kernel-container security update
[4.14.35-2047.519.2.1.el7] - xfs: trim IO to found COW extent limit (Eric Sandeen) [Orabug: 34765284] - xfs: don't use delalloc extents for COW on files with extsize hints (Christoph Hellwig) [Orabug: 34765284] [4.14.35-2047.519.2] - Revert 'xfs: don't use delalloc extents for COW on files with...
7.8CVSS
-0.1AI Score
WordPress Metform <=2.1.3 - Information Disclosure
WordPress Metform plugin through 2.1.3 is susceptible to information disclosure due to improper access control in the ~/core/forms/action.php file. An attacker can view all API keys and secrets of integrated third-party APIs such as that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA.....
7.2AI Score
0.041EPSS
Lawsuit Seeks Food Benefits Stolen By Skimmers
A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the...
-0.5AI Score
WordPress WP Fundraising Donation and Crowdfunding Platform <1.5.0 - SQL Injection
WordPress WP Fundraising Donation and Crowdfunding Platform plugin before 1.5.0 contains an unauthenticated SQL injection vulnerability. It does not sanitize and escape a parameter before using it in a SQL statement via a REST route. An attacker can possibly obtain sensitive information, modify...
10AI Score
0.04EPSS
MHDDoS - DDoS Attack Script With 56 Methods
Best DDoS Attack Script Python3, (Cyber / DDos) Attack With 56 Methods Please Don't Attack websites without the owners consent. ...
AI Score
Unbreakable Enterprise kernel security update
[5.4.17-2136.312.3.4] - Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845] [5.4.17-2136.312.3.3] cpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] - cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty...
7CVSS
-0.6AI Score
Unbreakable Enterprise kernel-container security update
[5.4.17-2136.312.3.4] - Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845] [5.4.17-2136.312.3.3] cpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] - cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty...
7CVSS
-0.6AI Score
How Card Skimming Disproportionally Affects Those Most In Need
When people banking in the United States lose money because their payment card got skimmed at an ATM, gas pump or grocery store checkout terminal, they may face hassles or delays in recovering any lost funds, but they are almost always made whole by their financial institution. Yet, one class of...
-0.4AI Score
-0.3AI Score
-0.2AI Score
WordPress Donation Thermometer Cross-Site Scripting Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plug-in. cross-site scripting vulnerability exists in versions prior to WordPress Donation Thermometer 2.1.3. The...
4.8CVSS
0.3AI Score
A look at the 2020–2022 ATM/PoS malware landscape
During the pandemic, lockdowns forced people to stay at home and do their shopping online, which was mirrored in point-of-sale (PoS) and ATM malware activity, as certain regions saw malicious transactions drop significantly. Now, as we predicted in last year's forecast, many are returning to their....
-0.1AI Score
The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
4.6AI Score
0.001EPSS
The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
4.7AI Score
0.001EPSS
CVE-2022-3128 Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.7AI Score
0.001EPSS
The Donation Thermometer WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8AI Score
0.001EPSS
Stripe: Promotion code can be used more than redemption limit.
Summary: While creating a promotion code a user can specify number of times that code can be redeemed.(i.e. Redemption limit) {F1962666} Codes aren't supposed to be redeemed more than the redemption limit. But there exists a race condition that allows use of promotion codes more than redemption...
6.9AI Score
Prilex: the pricey prickle credit card complex
Prilex is a Brazilian threat actor that has evolved out of ATM-focused malware into modular point-of-sale malware. The group was behind one of the largest attacks on ATMs in the country, infecting and jackpotting more than 1,000 machines, while also cloning in excess of 28,000 credit cards that...
0.4AI Score
OSRipper - AV Evading OSX Backdoor And Crypter Framework
OSripper is a fully undetectable Backdoor generator and Crypter which specialises in OSX M1 malware. It will also work on windows but for now there is no support for it and it IS NOT FUD for windows (yet at least) and for now i will not focus on windows. You can also PM me on discord for support...
-0.1AI Score
FIRST DEPOSITOR CAN BREAK MINTING OF SHARES
Lines of code Vulnerability details Impact The attack vector and impact is the same as TOB-YEARN-003, where users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. In the SemiFungibleVault.sol file, the allocation of...
6.9AI Score
Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers
A number of financial institutions in and around New York City are dealing with a rash of super-thin "deep insert" skimming devices designed to fit inside the mouth of an ATM's card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the...
-0.2AI Score
Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC Put the following payload in the Settings >...
4.8CVSS
0.4AI Score
Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by Asif Nawaz Minhas in WordPress Donation Thermometer plugin (versions <= 2.1.2). Solution Update the WordPress Donation Thermometer plugin to the latest available version (at least...
4.8CVSS
2.3AI Score
Donation Thermometer < 2.1.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
0.1AI Score
Stripe: Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/
@mr_asg discovered an improper access control issue in TaxJar. This could have allowed for account takeover using the email change functionality. The vulnerability was caused by not correctly validating whether or not the reset password token was connected to the user being reset and was resolved.....
6.9AI Score
Twitter security under scrutiny after former executive turns whistleblower
A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users' personal information, to company shareholders, to national security, and to democracy....
-0.6AI Score
Stripe: Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure
@mr_asg discovered that users of an account with member permissions were improperly allowed to view certain subscription details and cancel the subscription for that account. I discovered a Vulnerability that allows the user who has member privileges to unsubscribe (Cancel) the account instead of.....
6.8AI Score
Improper access control at app.taxjar.com/current_user_data allows a user with member role to invite themselves to the account as an...
6.9AI Score
Security update for trivy (moderate)
An update that fixes three vulnerabilities is now available. Description: This update for trivy fixes the following issues: Update to version 0.30.4: fix: remove the first arg when running as a plugin (#2595) fix: k8s controlplaner scanning (#2593) fix(vuln): GitLab report template (#2578) ...
9.1CVSS
-0.7AI Score
Stripe: [Broken Access Control ] Unauthorized Linking accounts & Linked Accounts info DIsclosure
@mr_asg discovered that users of an account with member permissions were improperly allowed to see activated linked accounts and connect new carts to the account. I discovered a Vulnerability that allows the user who has member privileges to connect new carts to the Taxjar account , like...
6.9AI Score
Twilio Suffers Data Breach After Employees Fall Victim to SMS Phishing Attack
Customer engagement platform Twilio on Monday disclosed that a "sophisticated" threat actor gained "unauthorized access" using an SMS-based phishing campaign aimed at its staff to gain information on a "limited number" of accounts. The social-engineering attack was bent on stealing employee...
0.2AI Score