WordPress WP Fastest Cache Plugin < 1.2.2 is vulnerable to SQL Injection

Software WP Fastest Cache Type Plugin Vulnerable versions 1.2.2 Fixed in 1.2.2 OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2023-6063 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 5011a3314981 Credits Alex Sanford Required privilege Unauthenticated...

WordPress Thrive Theme Builder Theme < 3.24.0 is vulnerable to Broken Access Control

Software Thrive Theme Builder Type Theme Vulnerable versions 3.24.0 Fixed in 3.24.0 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47783 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID df9a83751ebc Credits Rafie Muhammad Patchsta...

WordPress CodeBard's Patron Button and Widgets for Patreon Plugin <= 2.1.9 is vulnerable to Cross Site Request Forgery (CSRF)

Software CodeBard's Patron Button and Widgets for Patreon Type Plugin Vulnerable versions = 2.1.9 Fixed in 2.2.0 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-47765 Patch priority Low CVSS severity Low 4.3 Developer Codebard PSID 8a59ce87622d...

WordPress LuckyWP Scripts Control Plugin <= 1.2.1 is vulnerable to Broken Access Control

Software LuckyWP Scripts Control Type Plugin Vulnerable versions = 1.2.1 Fixed in 1.2.2 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47778 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 0397d6dac11d Credits Abdi Pranata...

Malicious Abrax666 AI Chatbot Exposed as Potential Scam

By Waqas Abrax666 AI Chatbot is being boasted by its developer as a malicious alternative to ChatGPT, claiming it's a perfect multitasking tool for both ethical and unethical activities. This is a post from HackRead.com Read the original post: Malicious Abrax666 AI Chatbot Exposed as Potential Sc...

WordPress Simple 301 Redirects by BetterLinks Plugin <= 2.0.7 is vulnerable to Broken Access Control

Software Simple 301 Redirects by BetterLinks Type Plugin Vulnerable versions = 2.0.7 Fixed in 2.0.8 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47761 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 76b78ec76a84 Credits Abd...

WordPress Essential Blocks for Gutenberg Plugin <= 4.2.0 is vulnerable to Broken Access Control

Software Essential Blocks for Gutenberg Type Plugin Vulnerable versions = 4.2.0 Fixed in 4.2.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47760 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 34de2a2210b4 Credits Abdi...

WordPress ElementsKit Pro Plugin <= 3.3.0 is vulnerable to Broken Access Control

Software ElementsKit Pro Type Plugin Vulnerable versions = 3.3.0 Fixed in 3.6.8 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-39993 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID b8963eeda442 Credits Rafie Muhammad Patchsta...

WordPress Bus Ticket Booking with Seat Reservation Plugin <= 5.2.5 is vulnerable to Cross Site Scripting (XSS)

Software Bus Ticket Booking with Seat Reservation Type Plugin Vulnerable versions = 5.2.5 Fixed in 5.2.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-30496 Patch priority High CVSS severity High 7.1 Developer Claim ownership PSID cc34a3da3177...

WordPress Frontend File Manager Plugin < 22.6 is vulnerable to Arbitrary File Download

Software Frontend File Manager Type Plugin Vulnerable versions 22.6 Fixed in 22.6 OWASP Top 10 A5: Broken Access Control Classification Arbitrary File Download CVE CVE-2023-5105 Patch priority Medium CVSS severity Medium 9.1 Developer Claim ownership PSID 66e0e4c68ed0 Credits Dmitrii Ignatyev...

Dreamer CMS Security Vulnerability

Dreamer CMS is a Dreamer Content Management System by Junnan Wang, an individual developer in China. A security vulnerability exists in Dreamer CMS version 4.1.3, which stems from a cross-site request forgery CSRF vulnerability in component /admin/task/add...

WordPress WP Custom Admin Interface Plugin <= 7.31 is vulnerable to Broken Access Control

Software WP Custom Admin Interface Type Plugin Vulnerable versions = 7.31 Fixed in 7.32 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-47763 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 73d0182de151 Credits Abdi Pranata...

Metasploit Weekly Wrap-Up

Apache MQ and Three Cisco Modules in a Trenchcoat This week’s release has a lot of new content and features modules targeting two major recent vulnerabilities that got a great deal of attention: CVE-2023-46604 targeting Apache MQ resulting in ransomware deployment and CVE-2023-20198 targeting Cis...

BlazeStealer Malware Uncovered in Python Packages on PyPI

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Python Package Index PyPI repository is infiltrated with number of malicious python packages. These packages masquerade as obfuscation tools, however they harbor BlazeStealer malware, which initiates a...

WordPress Themify Ultra Theme <= 7.3.5 is vulnerable to Broken Access Control

Software Themify Ultra Type Theme Vulnerable versions = 7.3.5 Fixed in 7.3.6 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-46146 Patch priority High CVSS severity High 8.3 Developer Claim ownership PSID dba7a9d87836 Credits Rafie Muhammad Patchstack...

JVN#86156389: Remarshal unlimitedly expanding YAML alias nodes

Remarshal provided by Remarshal Project expands YAML alias nodes unlimitedly CWE-674, hence Remarshal is vulnerable to Billion Laughs Attack. Impact Processing untrusted YAML files may cause a denial-of-service DoS condition. Solution Update the Software Update to the latest version according to...

Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog PoC To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void...

Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection

Description The plugin unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog To simulate a gadget chain, put the following code in a plugin: class Evil public function wakeup : void die"Arbitrary...

Windows Gather PL/SQL Developer Connection Credentials

This module can decrypt the histories and connection credentials of PL/SQL Developer, and passwords are available if the user chooses to remember. Module Options msf use post/windows/gather/credentials/plsqldeveloper msf postplsqldeveloper show actions ...actions... msf postplsqldeveloper set...

WordPress Featured Post Creative Plugin <= 1.4 is vulnerable to Broken Access Control

Software Featured Post Creative Type Plugin Vulnerable versions = 1.4 Fixed in 1.5 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-40200 Patch priority Medium CVSS severity Medium 5.3 Developer Claim ownership PSID a180338dc363 Credits Abdi Pranata Require...