The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code....
8.8CVSS
9.8AI Score
0.001EPSS
The Giveaways and Contests by RafflePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rafflepress' and 'rafflepress_gutenberg' shortcode in versions up to, and including, 1.12.0 due to insufficient input sanitization and output escaping on 'giframe' user supplied...
6.4CVSS
5.2AI Score
0.001EPSS
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code....
9.9CVSS
9.4AI Score
0.001EPSS
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code....
8.8CVSS
9.1AI Score
0.001EPSS
The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code....
9.9CVSS
10AI Score
0.001EPSS
Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update
Description The plugin does not have authorisation in its update_options AJAX action, allowing any authenticated users, such as subscribers to update arbitrary blog options (like default_role...
7AI Score
Ubuntu 22.04 LTS : Node.js vulnerabilities (USN-6457-1)
The remote Ubuntu 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6457-1 advisory. The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally...
9.8CVSS
10AI Score
0.106EPSS
6.6AI Score
0.002EPSS
9.8CVSS
7.1AI Score
0.002EPSS
Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress
On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response...
9.8CVSS
8.7AI Score
0.002EPSS
Attacks on web applications spike in third quarter, new Talos IR data shows
Quarterly threat report: Telecommunications and education are most-targeted verticals There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent.....
8.6AI Score
Attacks, Vulnerabilities and Actors 16 October to 22 October 2023
For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, a total of twenty-three attacks were executed, ten vulnerabilities were discovered, and five active adversaries were...
7.1AI Score
9.1CVSS
7AI Score
0.001EPSS
8.8CVSS
7AI Score
0.001EPSS
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens....
6.5CVSS
6.5AI Score
0.0005EPSS
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens....
6.5CVSS
7AI Score
0.0005EPSS
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens....
6.5CVSS
6.7AI Score
0.0005EPSS
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens....
6.5CVSS
7AI Score
0.0005EPSS
The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including...
9.1CVSS
6.8AI Score
0.001EPSS
The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including...
7.2CVSS
9AI Score
0.001EPSS
The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including...
7.2CVSS
6.8AI Score
0.001EPSS
The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including...
9.1CVSS
9.1AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)
Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress...
9.8CVSS
8.5AI Score
EPSS
Attacks, Vulnerabilities and Actors 9 October to 15 October 2023
For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of twenty executed attacks, two instance of adversary activity, and fourteen...
7.5CVSS
7.6AI Score
0.732EPSS
CVE-2023-5070 Social Media Share Buttons & Social Sharing...
6.5CVSS
6.9AI Score
0.0005EPSS
Attacks, Vulnerabilities and Actors 2 October to 8 October 2023
For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of seven executed attacks, zero instances of adversary activity, and eight zero-day...
9.8CVSS
6.9AI Score
0.973EPSS
7.1AI Score
WordPress 6.3.2 Security Release – What You Need to Know
WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. While all of the vulnerabilities are of Medium severity, several of them are impactful enough to potentially allow site...
8.1AI Score
Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
8.8CVSS
5.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
8.8CVSS
7.3AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
4.3CVSS
9.1AI Score
0.001EPSS
SendPress Newsletters <= 1.23.11.6 - CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF...
8.8CVSS
6.5AI Score
0.001EPSS
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Description The plugin does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including...
8.1CVSS
7.1AI Score
0.0005EPSS
Campaign Monitor Forms < 2.5.6 - Subscriber+ Arbitrary Options Update
Description The plugin does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS. PoC Once the site gets at least 25 conversions using the plugin, a notice will show up on...
8.1CVSS
7AI Score
0.0005EPSS
Subscriber by BestWebSoft < 1.3.5 - Cross-Site Scripting
The subscriber plugin before 1.3.5 for WordPress has multiple XSS...
6.1CVSS
6.1AI Score
0.002EPSS
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the...
7.2CVSS
7.5AI Score
0.0005EPSS
Newsletter Lite < 4.9.3 - Admin+ Command Injection
Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. PoC [1] Navigate to "Newsletters > Configuration > History & Emails Configuration"....
7.2CVSS
7.3AI Score
0.0005EPSS
Attacks, Vulnerabilities and Actors 25 September to 1 October 2023
For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of eight executed attacks, three instances of adversary activity, and four zero-day...
7AI Score
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
5.9CVSS
4.9AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <= 6.2...
4.8CVSS
5.3AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
5.9CVSS
5.7AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
4.8CVSS
5.4AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <= 6.2...
5.9CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <= 6.2...
4.8CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
4.8CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Email posts to subscribers plugin <= 6.2...
5.9CVSS
5.5AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31...
5.9CVSS
5.5AI Score
0.0004EPSS
Email posts to subscribers <= 6.2 - Admin+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...
4.8CVSS
5.6AI Score
0.0004EPSS