Mollie Payment Forms & Donations Security Vulnerabilities

CVE-2024-2108

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes...

CVE-2024-2108

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes...

CVE-2024-2113

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it...

CVE-2024-2108

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes...

CVE-2024-2113

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it...

[SECURITY] Fedora 40 Update: php-tcpdf-6.7.4-1.fc40

PHP class for generating PDF documents. * no external libraries are required for the basic functions; * all standard page formats, custom page formats, custom margins and units of measure; * UTF-8 Unicode and Right-To-Left languages; * TrueTypeUnicode, OpenTypeUnicode, TrueType, OpenType, Type1...

Ninja Forms Contact Form < 3.8.1 - Publicly Accessible Form Submission Export via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possible for unauthenticated attackers to trigger an export of a form's submission to a publicly accessible location via a.....

FreeBSD : Gitlab -- vulnerabilities (d2992bc2-ed18-11ee-96dc-001b217b3468)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the d2992bc2-ed18-11ee-96dc-001b217b3468 advisory. An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all...

MasterStudy LMS < 3.3.2 - Unauthenticated Privilege Escalation

Description The plugin is vulnerable to Privilege Escalation due to insufficient validation checks within the _register_user() function called by the 'wp_ajax_nopriv_stm_lms_register' AJAX action. This makes it possible for unauthenticated attackers to register a user with administrator-level...

Ninja Forms Contact Form < 3.8.1 - Author+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages...

Thread Hijacking: Phishes That Prey on Your Curiosity

Thread hijacking attacks. They happen when someone you know has their email account compromised, and you are suddenly dropped into an existing conversation between the sender and someone else. These missives draw on the recipient's natural curiosity about being copied on a private discussion,...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 94 vulnerabilities disclosed in 81 WordPress.....

Hardware Vulnerability in Apple’s M-Series Chips

It's yet another hardware side-channel attack: The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s...

Behind the Scenes: The Art of Safeguarding Non-Human Identities

In the whirlwind of modern software development, teams race against time, constantly pushing the boundaries of innovation and efficiency. This relentless pace is fueled by an evolving tech landscape, where SaaS domination, the proliferation of microservices, and the ubiquity of CI/CD pipelines are....

Event Management 1.0 SQL Injection

...

FreeBSD : chromium -- multiple security fixes (814af1be-ec63-11ee-8e76-a8a1599412c6)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 814af1be-ec63-11ee-8e76-a8a1599412c6 advisory. Use after free in ANGLE in Google Chrome prior to 123.0.6312.86 allowed a remote attacker to...

(RHSA-2024:1538) Moderate: OpenShift Container Platform 4.12 low-latency extras security update

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.12. See the following advisory...

(RHSA-2024:1537) Moderate: OpenShift Container Platform 4.13.38 low-latency extras security update

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the extra low-latency container images for Red Hat OpenShift Container Platform 4.13. See the following advisory...

(RHSA-2024:1474) Moderate: logging for Red Hat OpenShift security update

Logging for Red Hat OpenShift is an opinionated collector and normalizer of application, infrastructure, and audit logs. It is intended to be used for forwarding logs to various supported systems. Security Fix(es): golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in...

(RHSA-2024:1508) Moderate: logging for Red Hat OpenShift security update

Logging for Red Hat OpenShift is an opinionated collector and normalizer of application, infrastructure, and audit logs. It is intended to be used for forwarding logs to various supported systems. Security Fix(es): golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in...

(RHSA-2024:1507) Moderate: logging for Red Hat OpenShift security update

Logging for Red Hat OpenShift is an opinionated collector and normalizer of application, infrastructure, and audit logs. It is intended to be used for forwarding logs to various supported systems. Security Fix(es): golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in...

CVE-2024-28852

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule...

CVE-2024-28852

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule...

CVE-2023-44999

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through...

CVE-2023-44999

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through...

CVE-2023-44999 WordPress WooCommerce Stripe Gateway plugin <= 7.6.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through...

CVE-2024-28852 Ampache has multiple reflective XSS vulnerabilities

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule...

CVE-2024-29793

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailChimp Forms by MailMunch allows Stored XSS.This issue affects MailChimp Forms by MailMunch: from n/a through...

CVE-2024-29793

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailChimp Forms by MailMunch allows Stored XSS.This issue affects MailChimp Forms by MailMunch: from n/a through...

CVE-2024-29793 WordPress MailChimp Forms by MailMunch plugin <= 3.2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailChimp Forms by MailMunch allows Stored XSS.This issue affects MailChimp Forms by MailMunch: from n/a through...

Alert: New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

A new phishing campaign has been observed leveraging a novel loader malware to deliver an information stealer and keylogger called Agent Tesla. Trustwave SpiderLabs said it identified a phishing email bearing this attack chain on March 8, 2024. The message masquerades as a bank payment...

(RHSA-2024:1461) Moderate: OpenShift Container Platform 4.14.18 packages and security update

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.14.18. See the following advisory for the container...

(RHSA-2024:1456) Moderate: OpenShift Container Platform 4.13.38 packages and security update

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.38. See the following advisory for the container...

RHEL 8 / 9 : OpenShift Container Platform 4.14.18 (RHSA-2024:1461)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1461 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private...

RHEL 8 / 9 : OpenShift Container Platform 4.13.38 (RHSA-2024:1456)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:1456 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

FreeBSD : phpmyfaq -- multiple vulnerabilities (8b3be705-eba7-11ee-99b3-589cfc0f81b0)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 8b3be705-eba7-11ee-99b3-589cfc0f81b0 advisory. phpMyFAQ team reports: The phpMyFAQ Team has learned of multiple security issues that'd ...

FreeBSD : emacs -- multiple vulnerabilities (f661184a-eb90-11ee-92fc-1c697a616631)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the f661184a-eb90-11ee-92fc-1c697a616631 advisory. In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This...

CVE-2024-28852

Ampache is a web based audio/video streaming application and file manager. Ampache has multiple reflective XSS vulnerabilities,this means that all forms in the Ampache that use rule as a variable are not secure. For example, when querying a song, when querying a podcast, we need to use $rule...

RHCOS 4 : OpenShift Container Platform 4.14.18 (RHSA-2024:1461)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:1461 advisory. The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur...

RHCOS 4 : OpenShift Container Platform 4.13.38 (RHSA-2024:1456)

The remote Red Hat Enterprise Linux CoreOS 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:1456 advisory. The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can...

Meeting FISMA (M-24-04) Requirements with a Unified Attack Surface Management Strategy

At the end of 2023, the Office of Management and Budget (OMB) released the FY24 FISMA Guidance (M-24-04) with a broad focus on securing the entire attack surface and specific action items for agencies pertaining to High Value Assets, IoT/OT devices, and internet-connected assets. In reference to...

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game's reputation. Despite the prevalence of DDoS attacks on the game, the...

U.S. Sanctions 3 Cryptocurrency Exchanges for Helping Russia Evade Sanctions

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned three cryptocurrency exchanges for offering services used to evade economic restrictions imposed on Russia following its invasion of Ukraine in early 2022. This includes Bitpapa IC FZC LLC, Crypto Explorer...

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.2.0 - Authenticated (Contributor+) SQL Injection via Shortcode

Description The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RM_Form shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user....

DzzOffice Cross-Site Scripting Vulnerability (CNVD-2024-15545)

DzzOffice is a platform that provides online collaborative office suite functionality from the American company Big Desk (DzzOffice). The platform can be used to provide online documents, forms, webstores, presentations and other features. A cross-site scripting vulnerability exists in dzzoffice...

Vans warns customers of data breach

Skater brand Vans emailed customers last week to tell them about a recent “data incident.” On December 13, 2023, Vans said it detected unauthorized activities on its IT systems, attributed to "external threat actors." An investigation revealed that the incident involved some personal information...

Top 4 Industries at Risk of Credential Stuffing and Account Takeover (ATO) attacks

All industries are at risk of credential stuffing and account takeover (ATO) attacks. However, some industries are at a greater risk because of the sensitive information or volume of customer data they possess. While cyber-attacks come in all forms and techniques, credential stuffing involves an...

Combine Qualys TruRisk™ and MITRE ATT&CK to Adopt Threat-Informed Defense to Reduce Risk

There are so many vulnerabilities disclosed daily that no one can patch all of them. Unfortunately, attackers can exploit them while you are still in the process of reviewing, prioritizing, and patching. Effective risk-based prioritization focuses your limited resources and remediation efforts...

3 important lessons from a devastating ransomware attack

In October 2023, The British Library was attacked by the Rhysida ransomware gang in a devastating cyberattack. The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its...

Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control

Description The plugin does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions PoC While logged as a subscriber, paste the following in your browser's console: fetch('/wp-admin/admin-ajax.php', {...