Last week, there were 42 vulnerabilities disclosed in 37 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 10 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
7.2CVSS
6.9AI Score
0.001EPSS
Users can deposit() even when Chainlink's price feed for CVX is stale
Lines of code Vulnerability details Bug Description In VotiumStrategy.sol, the price of vAfEth is determined by the price() function: VotiumStrategy.sol#L31-L33 function price() external view override returns (uint256) { return (cvxPerVotium() * ethPerCvx(false)) / 1e18; } As seen...
7AI Score
AfEth deposits could use price data from an invalid Chainlink response
Lines of code Vulnerability details Summary The current price implementation for the VotiumStrategy token uses a potentially invalid Chainlink response. This price is then used to calculate the price of AfEth and, subsequently, the amount of tokens to mint while depositing. Impact The price of...
6.9AI Score
Missing circuit breaker checks in ethPerCvx() for Chainlink's price feed
Lines of code Vulnerability details Bug Description The ethPerCvx() function relies on a Chainlink oracle to fetch the CVX / ETH price: VotiumStrategyCore.sol#L158-L169 try chainlinkCvxEthFeed.latestRoundData() returns ( uint80 roundId, int256 answer, ...
6.8AI Score
Cracking the code to compliance management
Based on recent research and findings from Coalfire's 2023 Compliance Report, the second blog in this series outlines compliance program management and performance priorities for CISOs and compliance...
7AI Score
Threat Report: High Tech Industry targeted the most with 46% of attack traffic tagged by NLX
How To Use This Report Enhance situational awareness of techniques used by threat actors Identify potential attacks targeting your industry Gain insights to help improve and accelerate your organization's threat response Summary of Findings The Network Effect Threat Report offers insights based...
8.5AI Score
It might not be possible to applyRewards(), if an amount received is less than 0.05 eth
Lines of code Vulnerability details Vulnerability Details Upon claiming Votium rewards, applyRewards() is intended to be invoked bi-weekly in order to exchange the tokens for eth and put the eth received back into the strategies. Based on the current ratio it either stakes the amount into safETH...
6.8AI Score
What does a car need to know about your sex life? Lock and Code S04E20
This week on the Lock and Code podcast... When you think of the modern tools that most invade your privacy, what do you picture? There's the obvious answers, like social media platforms including Facebook and Instagram. There's email and "everything" platforms like Google that can track your...
6.9AI Score
Tenable Nessus < 10.5.5 Multiple Vulnerabilities (TNS-2023-31)
According to its self-reported version, the Tenable Nessus application running on the remote host is prior to 10.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2023-31 advisory. A pass-back vulnerability exists where an authenticated, remote attacker with...
6.8CVSS
5.7AI Score
0.001EPSS
Last week, there were 55 vulnerabilities disclosed in 46 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 15 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
8.8CVSS
8.7AI Score
0.001EPSS
Penetration testing: shifting paradigms from reactive to proactive
Part 2 in a blog series spotlighting Coalfire's 5th Annual Penetration Risk...
7AI Score
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants
Cisco Talos recently discovered a new malware family we're calling "HTTPSnoop" being deployed against telecommunications providers in the Middle East. HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to...
7.8AI Score
A rundown of the OWASP top 10 for large language model applications
As part of the Open Worldwide Application Security Project (OWASP) AI Project, a community of international experts published a list of the top 10 critical vulnerabilities seen in Large Language Model (LLM)...
7.1AI Score
Crooks Exploited Satellite Live Feed Delay for Betting Advantage
By Deeba Ahmed The gang used satellite technology to get sports feed and predict match results before bookmakers. This is a post from HackRead.com Read the original post: Crooks Exploited Satellite Live Feed Delay for Betting...
7AI Score
h3. Issue Summary This is reproducible on Data Center: {}YES{}. h3. Steps to Reproduce h4. Steps on Bulldog: # Sign in as a user with all of these permissions: {}Can Use, Personal Space, Create Space(s), Confluence Administrator (optional), System Administrator{}. Note that this use should not be.....
6.6AI Score
The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
6.4CVSS
5.3AI Score
0.0004EPSS
The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
5.4CVSS
5.7AI Score
0.0004EPSS
The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
5.4CVSS
5.2AI Score
0.0004EPSS
The WS Facebook Like Box Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...
6.4CVSS
5.8AI Score
0.0004EPSS
Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
9.8CVSS
8.4AI Score
EPSS
The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
6.4CVSS
5.3AI Score
0.001EPSS
The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
5.4CVSS
5.7AI Score
0.001EPSS
The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
5.4CVSS
5.4AI Score
0.001EPSS
The Feeds for YouTube for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'youtube-feed' shortcode in versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated.....
6.4CVSS
5.8AI Score
0.001EPSS
What to look for in an audit partner
How are successful auditor partnerships formed? It starts with selecting the right auditor and taking them with you on your organization's compliance...
7AI Score
KB5030209: Cumulative security update for Internet Explorer: September 12, 2023
KB5030209: Cumulative security update for Internet Explorer: September 12, 2023 IMPORTANT Certain versions of Microsoft Internet Explorer have reached end of servicing. Note that some versions of Internet Explorer may be supported past the latest OS end date when Extended Security Updates (ESUs)...
7CVSS
7.6AI Score
0.001EPSS
Re-air: What teenagers face growing up online: Lock and Code S04E19
This week on the Lock and Code podcast... In 2022, Malwarebytes investigated the blurry, shifting idea of "identity" on the internet, and how online identities are not only shaped by the people behind them, but also inherited by the internet's youngest users, children. Children have always...
7AI Score
An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack...
5.3CVSS
5.2AI Score
0.001EPSS
An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack...
5.3CVSS
5.3AI Score
0.001EPSS
An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack...
5.3CVSS
5.4AI Score
0.001EPSS
Wyze home cameras temporarily show other people's security feeds
A mishap has resulted in security feeds and camera logs from home cameras being temporarily visible online. Users of Wyze, makers of smart products and home cameras, fell victim to this bizarre incident sometime around September 8. One of the first posts about this appeared on Reddit, where a user....
6.7AI Score
An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivity component in some situations. NOTE: this is only exploitable on Android versions that lack...
5.6AI Score
0.001EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)
Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in....
9.8CVSS
8AI Score
EPSS
Oracle Linux 8 : haproxy (ELSA-2020-1725)
The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-1725 advisory. A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the chunked value were not being...
9.8CVSS
7.1AI Score
0.022EPSS
GraphQL Vulnerabilities and Common Attacks: What You Need to Know
GraphQL is a powerful query language for APIs that has gained popularity in recent years for its flexibility and ability to provide a great developer experience. However, with the rise of GraphQL usage comes the potential for security vulnerabilities and attacks. In this blog post, we will...
8.5AI Score
Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising
Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware. "Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more,"...
7.5AI Score
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin <= 2.3.0...
4.8CVSS
5.4AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin <= 2.3.0...
5.9CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web-Settler Image Social Feed plugin <= 1.7.6...
4.8CVSS
5.4AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web-Settler Image Social Feed plugin <= 1.7.6...
5.9CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web-Settler Image Social Feed plugin <= 1.7.6...
4.8CVSS
4.8AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin <= 2.3.0...
4.8CVSS
4.9AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam Gladdy (Storm Consultancy) oAuth Twitter Feed for Developers plugin <= 2.3.0...
5.9CVSS
5.6AI Score
0.0004EPSS
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web-Settler Image Social Feed plugin <= 1.7.6...
5.9CVSS
5.5AI Score
0.0004EPSS
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023)
Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...
7.5CVSS
7AI Score
EPSS
Tenable Nessus Multiple Vulnerabilities (TNS-2023-29, TNS-2023-31)
Tenable Nessus is prone to multiple...
6.8CVSS
7AI Score
0.001EPSS
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not...
9.8CVSS
9.7AI Score
0.037EPSS
Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
Description The plugin contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not...
9.8CVSS
9.5AI Score
0.037EPSS
Looking back at Black Hat 2023
From AI to the evolving threat landscape, Black Hat 2023 spotlighted the security industry's latest and greatest...
7AI Score
Introducing Free Wordfence Intelligence WordPress Vulnerability Webhook Notifications!
We’re incredibly excited to announce that we have launched a webhook integration for vulnerabilities as part of Wordfence Intelligence, which enables users to stay on top of the latest vulnerabilities being added to the Wordfence Intelligence WordPress Vulnerability database, all completely for...
6.7AI Score