CVE-2023-2843 MultiParcels Shipping For WooCommerce < 1.14.15 - Subscribers+ SQLi
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.15 does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection...
9.2AI Score
0.001EPSS
Subscribers Text Counter < 1.7.1 - Settings Update via CSRF to Stored XSS
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping PoC Create an HTML file with the...
4.3CVSS
4.4AI Score
0.0005EPSS
Subscribers Text Counter < 1.7.1 - Settings Update via CSRF to Stored XSS
Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and...
4.3CVSS
4.5AI Score
0.0005EPSS
Film companies lose battle to unmask Reddit users
An interesting case marking the limits of what data big business can expect to dig up has concluded its day (or to be more accurate, many days) in court. Ars Technica reports that film companies have lost their battle to make social site Reddit identify anonymous users discussing piracy. No fewer.....
6.8AI Score
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with...
6.5CVSS
4.8AI Score
EPSS
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with...
6.5CVSS
6.4AI Score
EPSS
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with...
6.5CVSS
6.4AI Score
EPSS
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with...
4.3CVSS
6.4AI Score
EPSS
User Activity Log < 1.6.5 - Unauthenticated SQLi
Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still...
9.8CVSS
10AI Score
0.001EPSS
User Activity Log < 1.6.5 - Unauthenticated SQLi
Description The plugin does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks. Version 1.6.4 mitigates the issue for unauthenticated users but it is still...
9.8CVSS
10AI Score
0.001EPSS
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure. The tech giant said it's...
6.8AI Score
Juniper Junos OS Multiple Vulnerabilities (JSA70186)
The version of Junos OS installed on the remote host is affected by multiple vulnerabilities as referenced in the JSA70186 advisory. The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this...
7.5CVSS
7AI Score
0.013EPSS
Juniper Junos OS Vulnerability (JSA10892)
The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA10892 advisory. On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will...
9.6CVSS
6.3AI Score
0.001EPSS
MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note (WPScan): The issue was fixed in 1.14.13, however a better patch was done in 1.14.15.....
8.8CVSS
9AI Score
0.001EPSS
MultiParcels Shipping For WooCommerce < 1.14.15 - Subscriber+ SQLi
Description The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks. Note (WPScan): The issue was fixed in 1.14.13, however a better patch was done in 1.14.15.....
8.8CVSS
8.9AI Score
0.001EPSS
X (Formerly Twitter): Twitter Subscriptions Information Disclosure
Summary: Hi team, I was scrolling on Twitter connected from US location, and a Tweet appeared on my timeline; I couldn't see the tweet because it is only visible to subscribers. However I was able to extract the images from that tweet even though I'm not a subscriber Description: A subscriber...
6.7AI Score
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for...
7.3CVSS
5.2AI Score
0.001EPSS
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for...
4.3CVSS
6.8AI Score
0.001EPSS
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for...
4.3CVSS
5.2AI Score
0.001EPSS
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for...
7.3CVSS
7AI Score
0.001EPSS
Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam
Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and....
6.6AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)
Last week, there were 66 vulnerabilities disclosed in 56 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 34 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.8CVSS
7.6AI Score
EPSS
Mexico-Based Hacker Targets Global Banks with Android Malware
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to....
7AI Score
Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets
In yet another sign of a lucrative crimeware-as-a-service (CaaS) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a...
9.8CVSS
8.9AI Score
0.135EPSS
The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to...
4.3CVSS
4.6AI Score
0.001EPSS
The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and...
4.3CVSS
4.8AI Score
0.001EPSS
81% concerned about ChatGPT security and safety risks, Malwarebytes survey shows
Seven months after ChatGPT burst into our lives, it seems the lustre of the chatbot-that's-going-to-change-everything is starting to fade. A new survey by Malwarebytes exposes deep reservations about ChatGPT, with optimism in startlingly short supply. Of the respondents familiar with ChatGPT: 81%.....
7.1AI Score
Subscribe2 – Form, Email Subscribers & Newsletters < 10.41 - Missing Access Controls
The vulnerability allows any Author leveled users to perform actions that only an administrator should be allowed to do (e.g., sending unsolicited e-mail to...
4.3CVSS
6.8AI Score
0.001EPSS
Subscribe2 – Form, Email Subscribers & Newsletters < 10.41 - Sending Emails via CSRF
The plugin does not implement nonce checks, which could allow attackers to make a logged-in admin send test emails with arbitrary content to...
4.3CVSS
6.8AI Score
0.001EPSS
Image Map Pro – Drag-and-drop Builder for Interactive Images – Lite < 1.0.0 - Subscriber+ Stored XSS
The plugin does not sanitize and escape reviews, which could allow users any authenticated users, such as Subscribers to perform Stored Cross-Site Scripting...
5.4CVSS
5.8AI Score
0.001EPSS
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and...
6.5CVSS
6.6AI Score
0.001EPSS
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and...
6.5CVSS
6.4AI Score
0.001EPSS
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and...
6.5CVSS
6.4AI Score
0.001EPSS
CVE-2023-35093 WordPress MasterStudy LMS Plugin <= 3.0.8 is vulnerable to Broken Access Control
Broken Access Control vulnerability in StylemixThemes MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin <= 3.0.8 versions allows any logged-in users, such as subscribers to view the "Orders" of the plugin and get the data related to the order like email, username, and...
6.5CVSS
6.6AI Score
0.001EPSS
Gallery Metabox <= 1.5 - Subscriber+ Unauthorized Data Access
The plugin does not correctly implement capability checks on the refresh_metabox function, leading to unauthorized access of data. As a result, subscribers can obtain a list of images attached to a...
4.3CVSS
6.7AI Score
0.001EPSS
New Report Exposes Operation Triangulation's Spyware Implant Targeting iOS Devices
More details have emerged about the spyware implant that's delivered to iOS devices as part of a campaign called Operation Triangulation. Kaspersky, which discovered the operation after becoming one of the targets at the start of the year, said the malware has a lifespan of 30 days, after which it....
6.8AI Score
Slimstat Analytics < 4.9.3.3 Subscriber - SQL Injection
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL...
8.8CVSS
8.9AI Score
0.099EPSS
Cadet Blizzard emerges as a novel and distinct Russian threat actor
As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored...
10CVSS
8.1AI Score
0.974EPSS
Cadet Blizzard emerges as a novel and distinct Russian threat actor
As Russia’s invasion of Ukraine continues into its second year and Microsoft continues to collaborate with global partners in response, the exposure of destructive cyber capabilities and information operations provide greater clarity into the tools and techniques used by Russian state-sponsored...
10CVSS
8.1AI Score
0.974EPSS
5.3CVSS
4.4AI Score
0.001EPSS
Fedora: Security Advisory for sympa (FEDORA-2023-271b912b2b)
The remote host is missing an update for...
6.1CVSS
6.3AI Score
EPSS
Fedora: Security Advisory for sympa (FEDORA-2023-419ca55dd3)
The remote host is missing an update for...
6.1CVSS
6.3AI Score
EPSS
[SECURITY] Fedora 38 Update: sympa-6.2.72-2.fc38
Sympa is scalable and highly customizable mailing list manager. It can cope with big lists (200,000 subscribers) and comes with a complete (user and admin) Web interface. It is internationalized, and supports the us, fr, de, es, it, fi, and chinese locales. A scripting language allows you to...
6.1CVSS
6.9AI Score
EPSS
[SECURITY] Fedora 37 Update: sympa-6.2.72-2.fc37
Sympa is scalable and highly customizable mailing list manager. It can cope with big lists (200,000 subscribers) and comes with a complete (user and admin) Web interface. It is internationalized, and supports the us, fr, de, es, it, fi, and chinese locales. A scripting language allows you to...
6.1CVSS
6.9AI Score
EPSS
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...
5.3CVSS
4.3AI Score
0.001EPSS
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...
3.7CVSS
5.3AI Score
0.001EPSS
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...
3.7CVSS
4.2AI Score
0.001EPSS
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to...
5.3CVSS
5.5AI Score
0.001EPSS
Exploit for Cross-Site Request Forgery (CSRF) in Icegram Email Subscribers & Newsletters
CVE-2022-0439 CVE-2022-0439 - Email Subscribers &...
8.8CVSS
9.1AI Score
0.001EPSS
Ultimate Addons for Contact Form 7 3.1.23 - Subscriber+ SQLi
The plugin does not properly sanitise and escape the id parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as...
6.5CVSS
7.8AI Score
0.002EPSS