More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack
Cybersecurity researchers have spotted a phishing attack distributing the More_eggs malware by masquerading it as a resume, a technique originally detected more than two years ago. The attack, which was unsuccessful, targeted an unnamed company in the industrial services industry in May 2024,...
7.5AI Score
A European Summer of Sports is Upon Us – What Does it Mean for Security?
The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....
7AI Score
Cybersecurity CPEs: Unraveling the What, Why & How
Staying Sharp: Cybersecurity CPEs Explained Perhaps even more so than in other professional domains, cybersecurity professionals constantly face new threats. To ensure you stay on top of your game, many certification programs require earning Continuing Professional Education (CPE) credits. CPEs...
7.2AI Score
Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers
Microsoft is warning about the potential abuse of Azure Service Tags by malicious actors to forge requests from a trusted service and get around firewall rules, thereby allowing them to gain unauthorized access to cloud resources. "This case does highlight an inherent risk in using service tags as....
7.9AI Score
Bypassing 2FA with phishing and OTP bots
Introduction Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today's websites offer some form of it, and some of them won't even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain...
7.2AI Score
Improper Enforcement Of Behavioral Workflow
aimeos/ai-client-html is vulnerable to Improper enforcement of behavioral workflow. The vulnerability is due to an issue where digital downloads sold in online shops can be accessed without valid payment, for instance, if the payment process fails. This could allow attackers to obtain digital...
6.9AI Score
Quiz And Survey Master < 9.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC 1. Go to to Quizzes & Surveys 2. Add/edit a....
5.2AI Score
EPSS
Description The WordPress Online Booking and Scheduling Plugin – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Color Profile parameter in all versions up to, and including, 23.2 due to insufficient input sanitization and output escaping. This makes it possible...
6.4CVSS
5.7AI Score
0.0004EPSS
Sourcecodester Online Medicine Ordering System 1.0 is vulnerable to Arbitrary file deletion vulnerability as the backend settings have the function of deleting pictures to delete any...
0.0005EPSS
Quiz And Survey Master < 9.0.2 - Contributor+ Stored XSS
Description The plugin does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
5.9AI Score
EPSS
Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through...
4.3CVSS
4.7AI Score
0.0004EPSS
Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through...
4.3CVSS
0.0004EPSS
CVE-2024-32714 WordPress Academy LMS plugin <= 1.9.16 - Broken Access Control vulnerability
Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through...
4.3CVSS
0.0004EPSS
CVE-2024-32714 WordPress Academy LMS plugin <= 1.9.16 - Broken Access Control vulnerability
Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through...
4.3CVSS
6.9AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sensei Sensei Pro (WC Paid Courses) allows Stored XSS.This issue affects Sensei Pro (WC Paid Courses): from n/a through...
6.5CVSS
6.5AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sensei Sensei Pro (WC Paid Courses) allows Stored XSS.This issue affects Sensei Pro (WC Paid Courses): from n/a through...
6.5CVSS
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sensei Sensei Pro (WC Paid Courses) allows Stored XSS.This issue affects Sensei Pro (WC Paid Courses): from n/a through...
6.5CVSS
6.8AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Sensei Sensei Pro (WC Paid Courses) allows Stored XSS.This issue affects Sensei Pro (WC Paid Courses): from n/a through...
6.5CVSS
0.0004EPSS
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 91929399-249e-11ef-9296-b42e991fc52e advisory. [email protected] reports: Kanboard is project management software that focuses on the...
8.2CVSS
6.8AI Score
0.0004EPSS
TYPO3 Denial of Service in Online Media Asset Handling
Online Media Asset Handling (.youtube and .vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a...
7AI Score
TYPO3 Denial of Service in Online Media Asset Handling
Online Media Asset Handling (.youtube and .vimeo files) in the TYPO3 backend is vulnerable to denial of service. Putting large files with according file extensions results in high consumption of system resources. This can lead to exceeding limits of the current PHP process which results in a...
7AI Score
TYPO3 Cross-Site Scripting in Online Media Asset Rendering
Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this...
6.7AI Score
TYPO3 Cross-Site Scripting in Online Media Asset Rendering
Failing to properly encode user input, online media asset rendering (*.youtube and *.vimeo files) is vulnerable to cross-site scripting. A valid backend user account or write access on the server system (e.g. SFTP) is needed in order to exploit this...
6.7AI Score
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to...
7.3CVSS
7.3AI Score
0.0004EPSS
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to...
7.3CVSS
0.0004EPSS
CVE-2024-5745 itsourcecode Bakery Online Ordering System unrestricted upload
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to...
7.3CVSS
0.0004EPSS
CVE-2024-5745 itsourcecode Bakery Online Ordering System unrestricted upload
A vulnerability was found in itsourcecode Bakery Online Ordering System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/modules/product/controller.php?action=add. The manipulation of the argument image leads to unrestricted upload. It is possible to...
7.3CVSS
6.9AI Score
0.0004EPSS
Google will start deleting location history
Google announced that it will reduce the amount of personal data it is storing by automatically deleting old data from "Timeline"—the feature that, previously named "Location History," tracks user routes and trips based on a phone’s location, allowing people to revisit all the places they've been.....
6.7AI Score
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated...
4.3CVSS
0.001EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated...
4.3CVSS
4.4AI Score
0.001EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated...
4.3CVSS
0.001EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated...
4.3CVSS
6.7AI Score
0.001EPSS
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has...
8.8CVSS
0.002EPSS
A vulnerability was found in itsourcecode Online Discussion Forum 1.0. It has been rated as critical. This issue affects some unknown processing of the file register_me.php. The manipulation of the argument eaddress leads to sql injection. The attack may be initiated remotely. The exploit has been....
9.8CVSS
7.5AI Score
0.001EPSS
A vulnerability was found in itsourcecode Online Discussion Forum 1.0. It has been rated as critical. This issue affects some unknown processing of the file register_me.php. The manipulation of the argument eaddress leads to sql injection. The attack may be initiated remotely. The exploit has been....
9.8CVSS
0.001EPSS
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has...
8.8CVSS
6.5AI Score
0.002EPSS
CVE-2024-5734 itsourcecode Online Discussion Forum poster.php unrestricted upload
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has...
6.3CVSS
0.002EPSS
CVE-2024-5734 itsourcecode Online Discussion Forum poster.php unrestricted upload
A vulnerability classified as critical has been found in itsourcecode Online Discussion Forum 1.0. Affected is an unknown function of the file /members/poster.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has...
6.3CVSS
7AI Score
0.002EPSS
CVE-2024-5733 itsourcecode Online Discussion Forum register_me.php sql injection
A vulnerability was found in itsourcecode Online Discussion Forum 1.0. It has been rated as critical. This issue affects some unknown processing of the file register_me.php. The manipulation of the argument eaddress leads to sql injection. The attack may be initiated remotely. The exploit has been....
7.3CVSS
0.001EPSS
FBI Distributes 7,000 LockBit Ransomware Decryption Keys to Help Victims
The U.S. Federal Bureau of Investigation (FBI) has disclosed that it's in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost. "We are reaching out to known LockBit victims and encouraging anyone who suspects....
7.7AI Score
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
7.2CVSS
0.0004EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
7.2CVSS
7.6AI Score
0.0004EPSS
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
7.2CVSS
0.0004EPSS
online-reitschule.de Cross Site Scripting vulnerability OBB-3933444
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
online-admissions.cust.edu.pk Cross Site Scripting vulnerability OBB-3933443
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for...
4.3CVSS
6.6AI Score
0.001EPSS
7.4AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 27, 2024 to June 2, 2024)
_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...
10CVSS
9.6AI Score
EPSS
Advance Auto Parts customer data posted for sale
A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers. Allegedly the customer data includes: Names Email...
7.4AI Score
Thief Raccoon - Login Phishing Tool
Thief Raccoon is a tool designed for educational purposes to demonstrate how phishing attacks can be conducted on various operating systems. This tool is intended to raise awareness about cybersecurity threats and help users understand the importance of security measures like 2FA and password...
7.3AI Score