CVE-2022-35501

Stored Cross-site Scripting XSS exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function...

WooCommerce Shipping - DPD baltic < 1.2.57 - Subscriber+ Arbitrary Options Deletion

The plugin does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable. PoC Run the below command in the developer console of the web browser while being on t...

StopBadBots < 7.24 - Subscriber+ Arbitrary Plugin Installation

The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...

AntiHacker < 4.20 - Subscriber+ Arbitrary Plugin Installation

The plugin does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org Run the below command in the developer console of the web browser while being on the blog as a...

WordPress Post By Email Enabled

WordPress has a core feature and plugins allowing content managers to publish posts on their blogs by sending their articles to a configured email address. The scanner detected that the target WordPress instance has either the core feature or a specific plugin configured. No source data...

Best of TaoSecurity Blog Kindle Edition Sale

I'm running a BlackFriday CyberMonday sale on my four newest Kindle format books. Volumes 1-4 of The Best of TaoSecurity Blog will be half off starting 9 pm PT Tuesday 22 Nov and ending 9 pm PT Tueday 29 Nov. They are here. There also appears to be a daily deal right now for the paperback of Volu...

TaoSecurity on Mastodon

--- I am now using Mastodon as a replacement for the blue bird. This is my attempt to verify myself via my blog. I am no longer posting to my old bird account. Copyright 2003-2020 Richard Bejtlich and TaoSecurity taosecurity.blogspot.com and www.taosecurity.com...

CVE-2022-36432

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

CVE-2022-36432

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

Cross site scripting

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

CVE-2022-36432

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

Magento Open Source 跨站脚本漏洞

Magento Open Source is designed to provide basic e-commerce functionality, allowing you to build unique online stores from scratch. A security vulnerability exists in the Amasty Blog Pro plugin for Magento Open Source that stems from the unsafe use of eval...

PT-2022-23366 · Amasty +1 · Amasty Blog Pro +1

Name of the Vulnerable Software and Affected Versions: Amasty Blog Pro version 2.10.3 Description: The Preview functionality in the Amasty Blog Pro plugin for Magento 2 uses eval unsafely, allowing attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generate...

CVE-2022-36432

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...

CVE-2022-36432

CVE-2022-36432 affects Amasty Blog Pro 2.10.3 for Magento 2. The Preview functionality uses eval unsafely, enabling Cross-site Scripting on admin panel users by manipulating the generated preview response. Root cause is unsafe use of eval in the preview flow. Human interaction is required (UI: R)...

Donation Button <= 4.0.0 - Contributor+ Stored XSS

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. Put the following shortcode in a blog post: paypaldonationbutton align='center" onmouseover="alert1'...

Akamai’s Perspective on November’s Patch Tuesday

Every Patch Tuesday stirs up the community. See Akamai's November insights and recommendations on what to focus on, and patch, patch, patch!...

CISA Releases SSVC Methodology to Prioritize Vulnerabilities

Today CISA published its guide on Stakeholder-Specific Vulnerability Categorization SSVC, a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular...

SEMCMS SQL注入漏洞

SEMCMS is a multilingual content management system CMS for foreign trade websites. A SQL injection vulnerability exists in SEMCMS SHOP version 1.1, which originates from a SQL injection issue in AntBlogCat.php...

Apple MacOS Ventura Bug Breaks Third-Party Security Tools

Your anti-malware software may not work if you upgraded to the new operating system. But Apple says a fix is on the way...