Accept Stripe Donation – AidWP Security Vulnerabilities

Cross site scripting

Auth. (shop manager+) Stored Cross-Site Scripting (XSS) vulnerability in PHPRADAR Woocommerce Tip/Donation plugin <= 1.2...

CVE-2023-28783 WordPress Woocommerce Tip/Donation Plugin <= 1.2 is vulnerable to Cross Site Scripting (XSS)

Auth. (shop manager+) Stored Cross-Site Scripting (XSS) vulnerability in PHPRADAR Woocommerce Tip/Donation plugin &lt;= 1.2...

Discord.io confirms theft of 760,000 members' data

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io's users database was posted on BreachForums, the owners have decided to shut down all Discord.io services "for the foreseeable future."...

CVE-2023-40028

Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can...

Nine years of the GitHub Security Bug Bounty program

It was another record year for our Security Bug Bounty program! We're excited to highlight some achievements we’ve made together with the bounty community in 2022! The ninth year of GitHub’s Security Bug Bounty Program saw our program reach new heights. We’re very excited to provide a look into...

CVE-2023-28535

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paytm Paytm Payment Donation plugin &lt;= 2.2.0...

CVE-2023-28535

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paytm Paytm Payment Donation plugin &lt;= 2.2.0...

Cross site scripting

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paytm Paytm Payment Donation plugin &lt;= 2.2.0...

CVE-2023-28535 WordPress Paytm Payment Donation Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paytm Paytm Payment Donation plugin &lt;= 2.2.0...

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023)

Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

CVE-2023-28934

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

CVE-2023-28934

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

Cross site scripting

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

CVE-2023-28934 WordPress WP Full Stripe Free Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mammothology WP Full Stripe Free plugin &lt;= 1.6.1...

Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT

In the first 6 months of 2023, our team has already added 2,471[1] individual vulnerability records to the Wordfence Intelligence WordPress Vulnerability Database. These vulnerabilities affected 1,680[2] WordPress software components. This means we have already surpassed the total number of...

Vulnerability: Donation Attacks can Cause Loss of Liquidity and/or Undesired Prices Rebalance / Contract: GeVault / Function: withdraw

Lines of code Vulnerability details Impact Donation attack can cause loss of users liquidity or undesired tick rebalance by price manipulation. Proof of Concept An attacker can cause constant rebalancing, instability, and along with the vulnerability of slot0 in the getTokenAmountsExcludingFees...

Exploit for Missing Authorization in Wpmet Metform Elementor Contact Form Builder

CVE-2022-1442 WordPress Plugin Metform &lt;= 2.1.3 - Improper...

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass

Description The plugin does not properly check users during the Stripe checkout process, which could allow unauthenticated attackers to log in as any users having placed an order when the Stripe checkout option is...

WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin

On June 8, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in WebToffee’s Stripe Payment Plugin for WooCommerce plugin, which is actively installed on more than 10,000 WordPress websites. This...

WordPress Stripe Payment Plugin For WooCommerce 3.7.7 Authentication Bypass Vulnerability

WordPress Stripe Payment Plugin for WooCommerce plugin versions 3.7.7 and below suffer from an authentication bypass...

WordPress Stripe Payment Plugin For WooCommerce 3.7.7 Authentication Bypass

...

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 17, 2023 to July 23, 2023)

Last week, there were 62 vulnerabilities disclosed in 1035 WordPress Plugins and 90 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities....

Part II: Implementing Effective Cyber Security Metrics that Reduce Risk Realistically

In Part I of this three-part blog series, we discussed building a cyber risk metrics program from the ground up. We also discovered how to implement effective strategies for holistically articulating your cyber risk posture across your organization. In our second installment, we’ll delve deeper...

Ransomware making big money through "big game hunting"

Ransomware generates big money for the groups behind it, with new research confirming (some) of the scale of the problem. Chainalysis, a blockchain research firm, looked at data from monitored cryptocurrency wallets, concluding that around $449 million has been taken from victims in the last six...

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 3, 2023 to July 9, 2023)

Last week, there were 61 vulnerabilities disclosed in 54 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 28 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....

CVE-2023-24405

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin &lt;= 1.9.3...

CVE-2023-24405

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin &lt;= 1.9.3...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin &lt;= 1.9.3...

CVE-2023-24405 WordPress Contact Form 7 – PayPal & Stripe Add-on Plugin <= 1.9.3 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on plugin &lt;= 1.9.3...

First liquidity provider can break minting of shares

Lines of code Vulnerability details Impact The attack vector and impact is that users may not receive shares in exchange for their deposits if the total asset amount has been manipulated through a large “donation”. Proof of Concept The attack vector and impact is that users may not receive shares.....

TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds

Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift() function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function (update()) with...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

Code injection

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

CVE-2023-36817 The King's Temple Church website Leaked Stripe API Key in Public Code Repository

tktchurch/website contains the codebase for The King's Temple Church website. In version 0.1.0, a Stripe API key was found in the public code repository of the church's project. This sensitive information was unintentionally committed and subsequently exposed in the codebase. If an unauthorized...

WooCommerce Stripe Payment Gateway Plugin for WordPress < 7.4.1 Insecure Direct Object Reference

The WordPress WooCommerce Stripe Payment Gateway Plugin installed on the remote host is affected by an Insecure Direct Object Reference leading to Personally Identifiable Information Disclosure. Note that the scanner has not tested for these issues but has instead relied only on the application's.....

WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of H1 PoC Affected functions: create_payment_intent_ajax update_payment_intent_ajax save_upe_appearance_ajax update_order_status_ajax...

WooCommerce Stripe Payment Gateway < 7.4.1 - Subscriber+ Order Intent Update

The plugin does not properly restrict users from making a certain set of changes to other customers' orders. TODO: ADD link to Patchstack's post instead of...

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)

Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

WordPress WooCommerce Stripe Payment Gateway Plugin < 7.4.1 IDOR Vulnerability

The WordPress...

M-10 Unmitigated

Lines of code Vulnerability details Mitigation of M-10: Issue NOT mitigated Mitigated issue M-10: First 1 wei deposit can produce lose of user xETH funds in wxETH Fix: code-423n4/2023-05-xeth@fbb2972 The issue is similar to the standard inflation attack, except that instead of the attacker's...

CVE-2023-25450

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

CVE-2023-25450

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

CVE-2023-25450 WordPress GiveWP Plugin <= 2.25.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform plugin &lt;= 2.25.1...

Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as CVE-2023-34000, impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which...

CVE-2023-34000

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

CVE-2023-34000

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...

Design/Logic Flaw

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin &lt;= 7.4.0...