Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023)
Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.8CVSS
7.4AI Score
EPSS
Qualys API Best Practices: Web Application Scanning API
This API Best Practices Series is designed for Qualys customer programmers or stakeholders with a general knowledge of programming who want to implement best practices for improving the development, design, and performance of their programs that use the Qualys API. For non-customers, the Qualys...
7.3AI Score
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
7.1CVSS
6AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
6.1CVSS
6.2AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
6.1CVSS
6AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
7.1CVSS
6.3AI Score
0.0005EPSS
Lines of code Vulnerability details Mitigation of H-01: Mitigation Error, see comments Link to Issue: code-423n4/2023-09-asymmetry-findings#62 Comments The sponsor has provided a detailed response in the following comment: code-423n4/2023-09-asymmetry-findings#62 (comment) In summary their...
6.8AI Score
Maximizing the value of threat modeling
Explore four practices that maximize the value of threat models throughout the entire development...
7.1AI Score
The healthcare ecosystem requires stakeholders to have a comprehensive grasp of the industry-specific vulnerabilities, especially in its emerging technology. Coalfire examines key healthcare-specific IoT vulnerabilities, helping healthcare IoT manufacturers and medical facility administrations...
6.9AI Score
MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22
This week on the Lock and Code podcast… In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media… but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex...
7AI Score
The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2. This is due to missing or incorrect nonce validation on the save_feedzy_post_type_meta() function. This makes it possible for unauthenticated attackers to update...
4.3CVSS
4.2AI Score
0.001EPSS
Ubuntu 16.04 ESM : python-gnupg vulnerabilities (USN-4839-1)
The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4839-1 advisory. mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof...
7.5CVSS
7.1AI Score
0.013EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)
Last week, there were 103 vulnerabilities disclosed in 85 WordPress Plugins and no WordPress themes, with 7 of those being in WordPress Core, that have been added to the Wordfence Intelligence Vulnerability Database, and there were 46 Vulnerability Researchers that contributed to WordPress...
9.8CVSS
8.5AI Score
EPSS
Critical Citrix NetScaler Flaw Exploited to Target from Government, Tech Firms
Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions - NetScaler ADC...
7.5CVSS
8.1AI Score
0.971EPSS
The benefits of using the new Data Privacy Framework
After the Schrems II ruling by the Court of Justice of the European Union, legal cross-border transfers of personal data from the EU to the U.S. became a key issue for U.S. businesses. After years of negotiations with the EU, the EU and U.S. have developed and agreed upon an adequate system for...
6.9AI Score
Hexeon unleashed: human-centric offensive security amplified by technology
Part 3 in a blog series spotlighting Coalfire's 5th Annual Penetration Risk...
7AI Score
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins Social Feed | Custom Feed for Social Media Networks plugin <= 2.2.0...
7.1CVSS
6AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins Social Feed | Custom Feed for Social Media Networks plugin <= 2.2.0...
6.1CVSS
6.3AI Score
0.0005EPSS
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins Social Feed | Custom Feed for Social Media Networks plugin <= 2.2.0...
6.1CVSS
6AI Score
0.0005EPSS
CVE-2023-45003 WordPress Social Feed Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Arrow Plugins Social Feed | Custom Feed for Social Media Networks plugin <= 2.2.0...
7.1CVSS
6.4AI Score
0.0005EPSS
CVE-2023-5070 Social Media Share Buttons & Social Sharing...
6.5CVSS
6.9AI Score
0.0005EPSS
Feed Statistics <= 4.1 - Arbitrary Settings Update via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF...
8.8CVSS
6.5AI Score
0.001EPSS
Social Feed <= 2.2.0 - Reflected XSS
Description The plugin does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as...
6.1CVSS
5.7AI Score
0.0005EPSS
Chaty < 2.8.2 - Cross-Site Scripting
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site...
6.1CVSS
6.2AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin <= 4.1...
8.8CVSS
5.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin <= 4.1...
8.8CVSS
8.8AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin <= 4.1...
8.8CVSS
8.8AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin <= 4.1...
4.3CVSS
9AI Score
0.001EPSS
History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it. PoC [1] Navigate to Instagram Feed > Settings > Manage Sources...
7.2CVSS
8.2AI Score
0.001EPSS
History Log by click5 < 1.0.13 - Admin+ Time-Based Blind SQL Injection
Description The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside...
7.2CVSS
7.9AI Score
0.001EPSS
ChatGPT at work: how chatbots help employees, but threaten business
Workhorse Only a few months ago, ChatGPT and other chatbots based on large language models (LLMs) were still a novelty. Users enjoyed using them to compose poems and lyrics in the style of famous artists (which left Nick Cave, for example, decidedly unimpressed), researchers debated blowing up...
6.8AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023)
Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
8.8CVSS
7.7AI Score
EPSS
Recent Vulnerabilities in Popular Applications Blocked by Imperva
Multiple vulnerabilities in popular and widespread applications have been disclosed recently, tracked as CVE-2023-36845, CVE-2023-40044, CVE-2023-42793, CVE-2023-29357, and CVE-2023-22515. These vulnerabilities, which affect several products and can be exploited to allow arbitrary code execution,.....
9.8CVSS
10.6AI Score
0.973EPSS
Atlassian CVE-2023-22515 Blocked by Imperva
Atlassian, an Australian software company, has released emergency security updates to address a severe zero-day vulnerability in its Confluence Data Center and Server software. This vulnerability is actively being exploited, allowing attackers to create unauthorized Confluence administrator...
9.8CVSS
7.3AI Score
0.973EPSS
CISA catalog passes 1,000 known-to-be-exploited vulnerabilities. Celebration time, or is it?
On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021. This may seem like a lot, but with over 25,000.....
6.7AI Score
KB5031355: Cumulative security update for Internet Explorer: October 10, 2023
KB5031355: Cumulative security update for Internet Explorer: October 10, 2023 IMPORTANT Certain versions of Microsoft Internet Explorer have reached end of servicing. Note that some versions of Internet Explorer may be supported past the latest OS end date when Extended Security Updates (ESUs) are....
7.8CVSS
8.9AI Score
0.001EPSS
This week on the Lock and Code podcast... What are you most worried about online? And what are you doing to stay safe? Depending on who you are, those could be very different answers, but for teenagers and members of Generation Z, the internet isn't so scary because of traditional threats like...
6.8AI Score
The great divide of PCI DSS v4.0: Merchants, are you ready?
Are you ready for PCI DSS 4.0? It's vital to understand the changes to prepare properly and avoid costly delays in achieving...
7AI Score
Breaking down barriers: Redefining the FedRAMP® journey for cloud service providers
Since the passing of the FedRAMP Authorization Act last December, inquiries about navigating FedRAMP's complex landscape have surged. Recognizing this, Coalfire is pioneering a new pathway to streamline the FedRAMP authorization process, making it more accessible for cloud service...
7AI Score
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023)
Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
8.8CVSS
8.6AI Score
EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget, Meks Smart Social Widget plugins leading.....
8.8CVSS
5.9AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget, Meks Smart Social Widget plugins leading.....
8.8CVSS
8.8AI Score
0.001EPSS
Cross site request forgery (csrf)
Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget, Meks Smart Social Widget plugins leading.....
8.8CVSS
8.8AI Score
0.001EPSS
CVE-2023-25989 Cross-Site Request Forgery (CSRF) vulnerability in multiple WordPress plugins by Meks
Cross-Site Request Forgery (CSRF) vulnerability in Meks Video Importer, Meks Time Ago, Meks ThemeForest Smart Widget, Meks Smart Author Widget, Meks Audio Player, Meks Easy Maps, Meks Easy Photo Feed Widget, Meks Simple Flickr Widget, Meks Easy Ads Widget, Meks Smart Social Widget plugins leading.....
4.3CVSS
9AI Score
0.001EPSS
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
5.4CVSS
5.8AI Score
0.0004EPSS
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
6.5CVSS
5.2AI Score
0.0004EPSS
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
5.4CVSS
5.2AI Score
0.0004EPSS
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Arrow Plugins The Awesome Feed – Custom Feed plugin <= 2.2.5...
6.5CVSS
6AI Score
0.0004EPSS
The Awesome Feed – Custom Feed <= 2.2.5 - Contributor+ Stored XSS
Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...
5.4CVSS
5.7AI Score
0.0004EPSS
Guardians of IoT: Safeguarding connectivity of input and output channels
Ensuring the security of the Internet of Things (IoT) demands a meticulous examination of industry-specific vulnerabilities and a profound comprehension of data handling. Have you taken the necessary steps to confirm that your chosen third-party security vendor possesses a comprehensive...
7AI Score