The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to...
8.8CVSS
8.9AI Score
0.0004EPSS
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to...
8.8CVSS
8.4AI Score
0.0004EPSS
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to...
8.8CVSS
8.5AI Score
0.0004EPSS
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.4AI Score
0.0004EPSS
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.4AI Score
0.0004EPSS
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.6AI Score
0.0004EPSS
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.6AI Score
0.0004EPSS
CVE-2024-1588 SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.5AI Score
0.0004EPSS
CVE-2024-1589 SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.5AI Score
0.0004EPSS
GamiPress < 6.8.9 - Broken Access Control
Description The plugin's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access....
4.6AI Score
0.0004EPSS
GamiPress < 6.8.9 - Broken Access Control
Description The plugin's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access....
6.6AI Score
0.0004EPSS
I wrote a short document describing how I maintain open source projects, to link it from my global CODE_OF_CONDUCT, CONTRIBUTING, and SECURITY files. It talks about how I prefer issues to PRs, how I work in batches, and how I'm trigger-happy with bans. It's all about setting expectations. It got...
7.6AI Score
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output...
4.4CVSS
7.6AI Score
0.0004EPSS
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output...
4.4CVSS
4.3AI Score
0.0004EPSS
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output...
4.4CVSS
5.8AI Score
0.0004EPSS
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output...
4.4CVSS
4.5AI Score
0.0004EPSS
$657 Bounty Awarded for Arbitrary File Upload Patched in WEmanage App Worker WordPress Plugin
On February 1st, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Management App for WooCommerce, a WordPress plugin with 1,000+ active installations. This vulnerability makes it possible for authenticated users such as subscribers...
8.8CVSS
9.2AI Score
0.0004EPSS
redhat-support-lib-python and redhat-support-tool bug fix and enhancement update
An update is available for redhat-support-tool, redhat-support-lib-python. This update affects Rocky Linux 8. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The redhat-support-tool utility...
7.2AI Score
Icegram Express < 5.7.16 - Authenticated (Administrator+) Cross-Site Scripting via CSV import
Description The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and...
4.4CVSS
5.7AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 25, 2024 to March 31, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 405 vulnerabilities disclosed in 320...
10CVSS
9.7AI Score
EPSS
Mispadu Trojan Targets Europe, Thousands of Credentials Compromised
The banking trojan known as Mispadu has expanded its focus beyond Latin America (LATAM) and Spanish-speaking individuals to target users in Italy, Poland, and Sweden. Targets of the ongoing campaign include entities spanning finance, services, motor vehicle manufacturing, law firms, and commercial....
8.8CVSS
9.5AI Score
0.005EPSS
Attacks, Vulnerabilities and Actors 25 to 31 March 2024
For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of twelve attacks were executed, ten vulnerabilities were uncovered, and two active adversaries were.....
8.1AI Score
0.0004EPSS
Better Comments < 1.5.6 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks. PoC 1. From the menu on the left, go into "Users" and edit Subscriber user. 2. Upload a new avatar image and click...
5.4CVSS
5.6AI Score
0.0004EPSS
Better Comments < 1.5.6 - Subscriber+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting...
5.4CVSS
5.8AI Score
0.0004EPSS
Through a 2010 FOIA request (yes, it took that long), we have copies of the NSA's KRYPTOS Society Newsletter, "Tales of the Krypt," from 1994 to 2003. There are many interesting things in the 800 pages of newsletter. There are many redactions. And a 1994 review of Applied Cryptography by...
7.3AI Score
Description The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated...
8.8CVSS
6.3AI Score
0.0004EPSS
Email Subscribers & Newsletters < 5.7.12 - Reflected Cross-Site Scripting via campaign_id
Description The Email Subscribers & Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘campaign_id' parameter in versions up to, and including, 5.7.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
7.1CVSS
6.3AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Email Subscribers & Newsletters allows Reflected XSS.This issue affects Email Subscribers & Newsletters: from n/a through...
7.1CVSS
9.3AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Email Subscribers & Newsletters allows Reflected XSS.This issue affects Email Subscribers & Newsletters: from n/a through...
7.1CVSS
6.9AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Email Subscribers & Newsletters allows Reflected XSS.This issue affects Email Subscribers & Newsletters: from n/a through...
7.1CVSS
7.1AI Score
0.0004EPSS
Attacks, Vulnerabilities and Actors 18 to 24 March 2024
For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, a total of fifteen attacks were executed, eight vulnerabilities were uncovered, and five active adversaries...
9.8CVSS
7.6AI Score
0.972EPSS
WholesaleX < 1.3.2 - Sensitive Information Exposure via export_users
Description The WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the 'export_users'. This makes it possible for authenticated attackers,....
6.5CVSS
6.6AI Score
0.0004EPSS
YouTube ordered to reveal the identities of video viewers
Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen. Of those users that weren’t logged in when they watched those videos between January 1...
6.9AI Score
Cross-Site Request Forgery (CSRF) vulnerability in EnvialoSimple EnvíaloSimple.This issue affects EnvíaloSimple: from n/a through...
6.5CVSS
6.5AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in EnvialoSimple EnvíaloSimple.This issue affects EnvíaloSimple: from n/a through...
6.5CVSS
6.5AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in EnvialoSimple EnvíaloSimple.This issue affects EnvíaloSimple: from n/a through...
6.5CVSS
6.7AI Score
0.0004EPSS
Attacks, Vulnerabilities and Actors 11 to 17 March 2024
For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries in the realm of cybersecurity threats. In the past week alone, HiveForce Labs discovered eight executed attacks, uncovered ten vulnerabilities, and identified two active...
7.4AI Score
New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT
A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT. Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu. "The PhantomBlu operation introduces a nuanced...
7.2AI Score
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
0.0004EPSS
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC 1. Click SendPress in the Admin.....
5.5AI Score
0.0004EPSS
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) PoC 1. Click SendPress (which is...
5.4AI Score
0.0004EPSS
SendPress Newsletters <= 1.23.11.6 - Admin+ Stored XSS via Form Settings
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
5.7AI Score
0.0004EPSS
Amazon Linux 2 : edk2 (ALAS-2024-2502)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2502 advisory. The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which...
9.8CVSS
8.8AI Score
0.106EPSS
🎉 Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 26th, 2024, during our second Bug Bounty...
7.3AI Score
0.0004EPSS
Not everything has to be a massive, global cyber attack
Some of my Webex rooms recently have been blowing up with memes about blaming Canada or wild speculation that a state-sponsored actor is carrying out some sort of major campaign. After a widespread outage of cellular service with AT&T and other carriers a few weeks ago, people were sure it was...
6.8AI Score
0.0004EPSS
Issue Overview: A null pointer dereference flaw was found in openssl. A remote attacker, able to control the arguments of the GENERAL_NAME_cmp function, could cause the application, compiled with openssl to crash resulting in a denial of service. The highest threat from this vulnerability is to...
9.8CVSS
8.4AI Score
0.106EPSS
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and...
7.2CVSS
6.3AI Score
0.0004EPSS
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and...
7.2CVSS
6.3AI Score
0.0004EPSS
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and...
7.2CVSS
6.2AI Score
0.0004EPSS
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and...
7.2CVSS
6.3AI Score
0.0004EPSS