How Attackers Can Own a Business Without Touching the Endpoint
Attackers are increasingly making use of "networkless" attack techniques targeting cloud apps and identities. Here's how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services. Before getting into the details...
7.5AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 219 vulnerabilities disclosed in 209...
8.8AI Score
EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mat Bao Corp WP Helper Premium allows Reflected XSS.This issue affects WP Helper Premium: from n/a before...
7.1CVSS
6.9AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mat Bao Corp WP Helper Premium allows Reflected XSS.This issue affects WP Helper Premium: from n/a before...
7.1CVSS
6.8AI Score
0.0004EPSS
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mat Bao Corp WP Helper Premium allows Reflected XSS.This issue affects WP Helper Premium: from n/a before...
7.1CVSS
7.1AI Score
0.0004EPSS
🎉 Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 24th, 2024, during our second Bug Bounty...
8.8CVSS
8AI Score
0.0004EPSS
GenAI: A New Headache for SaaS Security Teams
The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI....
6.9AI Score
Excessive time spent checking DH q parameter value (CVE-2023-3817)
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex()or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked.....
7.1AI Score
0.003EPSS
🎉 Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On March 25th, 2024, during our second Bug Bounty Extravaganza,.....
9.8CVSS
8.5AI Score
0.012EPSS
New Lattice Cryptanalytic Technique
A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems. A few things to note. One, this paper has not yet been peer...
7.5AI Score
Premium Addons for Elementor < 4.10.23 - Authenticated (Contributor+) Sensitive Information Exposure
Description The Premium Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.22. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user or configuration...
4.3CVSS
6.7AI Score
0.0004EPSS
Apple warns people of mercenary attacks via threat notification system
Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it's detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021. Mercenary spyware...
7.1AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 1, 2024 to April 7, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 193 vulnerabilities disclosed in 154...
9.9CVSS
9.8AI Score
0.082EPSS
Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.This issue affects YITH WooCommerce Gift Cards Premium: from n/a through...
6.5CVSS
6.5AI Score
0.0004EPSS
Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.This issue affects YITH WooCommerce Gift Cards Premium: from n/a through...
6.5CVSS
6.8AI Score
0.0004EPSS
Stack-based buffer overflow in the GoAhead Web Server on Schneider Electric Modicon M340 PLC BMXNOx and BMXPx devices allows remote attackers to execute arbitrary code via a long password in HTTP Basic Authentication data. This plugin only works with Tenable.ot. Please visit...
8.9AI Score
0.071EPSS
Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WordPress Core
WordPress 6.5.2 was released yesterday, on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page,....
7.2CVSS
5.8AI Score
0.001EPSS
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through...
4.3CVSS
4.6AI Score
0.0004EPSS
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through...
4.3CVSS
9.3AI Score
0.0004EPSS
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
5.4CVSS
5.1AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
5.4CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
6.5CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
6.5CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
5.4CVSS
5.2AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
5.4CVSS
5.8AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
6.4CVSS
5.8AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
6.5CVSS
5.9AI Score
0.0004EPSS
Premium Addons for Elementor < 4.10.25 - Contributor+ Stored Cross-Site Scripting
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
6.4CVSS
5.8AI Score
0.0004EPSS
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with...
6.4CVSS
5.7AI Score
0.0004EPSS
Premium Addons for Elementor < 4.10.25 - Contributor+ DOM-Based Stored Cross-Site Scripting
Description The plugin is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Bullet List Widget in all versions up to, and including, 4.10.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
5.4CVSS
5.8AI Score
0.0004EPSS
Premium Addons for Elementor < 4.10.28 - Contributor+ Stored Cross-Site Scripting via Button
Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's button in all versions up to, and including, 4.10.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
6.5CVSS
5.8AI Score
0.0004EPSS
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
8.6AI Score
0.0004EPSS
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
8.8AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
7.4AI Score
0.0004EPSS
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
8.8CVSS
8.9AI Score
0.0004EPSS
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for...
6.4CVSS
5.8AI Score
0.0004EPSS
🎉 Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! On February 25th, 2024, during our second Bug Bounty...
9.8CVSS
8.6AI Score
0.001EPSS
WP Activity Log Premium < 4.6.4.1 - Authenticated (Subscriber+) SQL Injection
Description The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
8.8CVSS
7.5AI Score
0.0004EPSS
Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08
This week on the Lock and Code podcast… A digital form of protest could become the go-to response for the world’s largest porn website as it faces increased regulations: Not letting people access the site. In March, PornHub blocked access to visitors connecting to its website from Texas. It marked....
7.1AI Score
$657 Bounty Awarded for Arbitrary File Upload Patched in WEmanage App Worker WordPress Plugin
On February 1st, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary File Upload vulnerability in Management App for WooCommerce, a WordPress plugin with 1,000+ active installations. This vulnerability makes it possible for authenticated users such as subscribers...
8.8CVSS
9.2AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (March 25, 2024 to March 31, 2024)
Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 405 vulnerabilities disclosed in 320...
10CVSS
9.7AI Score
EPSS
YITH WooCommerce Account Funds Premium < 1.34.0 - Missing Authorization
Description The YITH WooCommerce Account Funds Premium plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.33.0. This makes it possible for authenticated attackers, with customer-level access and above,...
6.5CVSS
6.4AI Score
0.0004EPSS
On March 25th, 2024, during our second Bug Bounty Extravaganza, we received a submission for an unauthenticated SQL Injection vulnerability in LayerSlider, a WordPress plugin with more than 1,000,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from....
7.5CVSS
9.9AI Score
0.004EPSS
Trusted Advisor now available for Mac, iOS, and Android
First released for Windows last year, the Malwarebytes Trusted Advisor dashboard is also now available on Mac, iOS and Android. Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security, with a single comprehensive protection score, and clear, expert-driven.....
6.9AI Score
Introducing New Pricing For Wordfence CLI!
We have an exciting announcement today about the Wordfence CLI project. We launched Wordfence CLI at WordCamp US back in August of 2023 with the goal of bringing malware and vulnerability scanning to the command line. We've been working closely with our customers since the launch to better...
7.1AI Score