Akamai’s Perspective on August Patch Tuesday

Want the rundown of what to focus on with Patch Tuesday in one place? Check out this blog, and patch, patch, patch!...

Automattic: Stored XSS in intensedebate.com via the Comments RSS

Stored XSS in intensedebate.com via the Comments RSS In our "comments.rss" file, the blog post's title reflects to the XML RSS file without any encoding. So I installed the IntenseDebate on my website https://wp.s2.cm, and created a blog post with alertdocument.domain payload on the title. Then, ...

Company Website CMS 跨站脚本漏洞

Company Website CMS is a company website/CMS by Torrahclef Personal Developer. Company Website CMS suffers from a cross-site scripting vulnerability that stems from some unknown functionality in the file add-blog.php being affected, resulting in cross-site scripting, where attacks can be launched...

Do You Know If Your Web Forms Are Secure?

By Owais Sultan Knowing if your forms are secure is a tricky one. Do you know if your front door is… This is a post from HackRead.com Read the original post: Do You Know If Your Web Forms Are Secure?...

CVE-2022-2425

The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-2425

The WP DS Blog Map WordPress plugin through 3.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2022-2425

The CVE-2022-2425 entry concerns the WP DS Blog Map WordPress plugin (versions up to 3.1.3).根 The underlying issue is that the plugin does not sanitize/escape certain settings, enabling Stored XSS when unfiltered_html is disallowed (e.g., multisite). Impact is described as allowing high-privilege...

WordPress plugin WP DS Blog Map 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerability...

The US Emergency Alert System Has Dangerous Flaws

Plus: A crypto-heist extravaganza, a peek at an NSO spyware dashboard, and more...

Malicious Package

Overview sensei-lms is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package was...

WP Edit Menu <= 1.5.0 - Arbitrary Post Deletion via CSRF

The plugin does not have CSRF in an AJAX action, which could allow attackers to make a logged in admin delete arbitrary posts/pages from the blog via a CSRF attack PoC...

Malicious Package

Overview protons-benchmark is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

Malicious Package

Overview docs-component-account-certification-panel is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only...

Malicious Package

Overview docs-component-create-template is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if...

Malicious Package

Overview pod-publishing-test is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this packa...

Friday Squid Blogging: Bathyteuthis berryi Holding Eggs

Image and video of a Bathyteuthis berryi carrying a few hundred eggs, taken at a depth of 4,650 feet. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here...

Malicious Package

Overview stripe-demo-connect-standard-saas-platform is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only...

Malicious Package

Overview machine-mapper is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package wa...

WP DS Blog Map <= 3.1.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any of the settings...

WordPress WP DS Blog Map plugin <= 3.1.3 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Vinay Varma Mudunuri, Krishna Harsha Kondaveeti in WordPress WP DS Blog Map plugin versions = 3.1.3. Solution Deactivate and delete. This plugin has been closed as of July 15, 2022 and is not available for download. This...