Cybercriminals Use Unicode to Hide Mongolian Skimmer in E-Commerce Platforms

Cybersecurity researchers have shed light on a new digital skimmer campaign that leverages Unicode obfuscation techniques to conceal a skimmer dubbed Mongolian Skimmer. "At first glance, the thing that stood out was the script's obfuscation, which seemed a bit bizarre because of all the accented...

WordPress TI WooCommerce Wishlist Plugin <= 2.9.0 is vulnerable to SQL Injection

Software TI WooCommerce Wishlist Type Plugin Vulnerable versions = 2.9.0 Fixed in N/A OWASP Top 10 A1: Injection Classification SQL Injection CVE CVE-2024-9156 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 8b4c5ec7c9db Credits John Castro Required privilege...

WordPress UserPlus Plugin <= 2.0 is vulnerable to Privilege Escalation

Software UserPlus Type Plugin Vulnerable versions = 2.0 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Privilege Escalation CVE CVE-2024-9519 Patch priority Medium CVSS severity Medium 7.2 Developer Claim ownership PSID 64930a4c20d0 Credits István Márton Required privilege...

WordPress Language Switcher Plugin <= 3.7.13 is vulnerable to Cross Site Scripting (XSS)

Software Language Switcher Type Plugin Vulnerable versions = 3.7.13 Fixed in 3.8.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9610 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 7600fb4498d2 Credits vgo0 Required...

WordPress WordPress Comments Import & Export Plugin <= 2.3.7 is vulnerable to Directory Traversal

Software WordPress Comments Import & Export Type Plugin Vulnerable versions = 2.3.7 Fixed in 2.3.9 OWASP Top 10 A3: Injection Classification Directory Traversal CVE CVE-2024-7514 Patch priority Low CVSS severity Low 4.9 Developer Claim ownership PSID 06055d28d8b6 Credits scottaglia Required...

CVE-2024-9671

A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed...

CVE-2024-9671 System: pdf invoices of the developer users can be seen if the url is known

A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed...

WordPress Tainacan Plugin <= 0.21.8 is vulnerable to SQL Injection

Software Tainacan Type Plugin Vulnerable versions = 0.21.8 Fixed in 0.21.9 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-48040 Patch priority High CVSS severity High 8.5 Developer Tainacan Community PSID 8db23d195d90 Credits Trương Hữu Phúc truonghuuphuc Required privilege...

WordPress External featured image from bing Plugin <= 1.0.2 is vulnerable to Remote Code Execution (RCE)

Software External featured image from bing Type Plugin Vulnerable versions = 1.0.2 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Remote Code Execution RCE CVE CVE-2024-48027 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID dfcd7085e39e Credits João...

WordPress Disc Golf Manager Plugin <= 1.0.0 is vulnerable to PHP Object Injection

Software Disc Golf Manager Type Plugin Vulnerable versions = 1.0.0 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2024-48026 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID ad0f79b4fc3a Credits LVT-tholv2k Required privilege...

WordPress pretix widget Plugin <= 1.0.5 is vulnerable to Local File Inclusion

Software pretix widget Type Plugin Vulnerable versions = 1.0.5 Fixed in 1.0.6 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2024-9575 Patch priority Low CVSS severity Low 8.5 Developer Claim ownership PSID 3a2933f81cf6 Credits João Pedro S Alcântara Kinorth Required...

Huawei EulerOS: Security Advisory for orc (EulerOS-SA-2024-2589)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

WordPress CM Tooltip Glossary Plugin <= 4.3.9 is vulnerable to Cross Site Scripting (XSS)

Software CM Tooltip Glossary Type Plugin Vulnerable versions = 4.3.9 Fixed in 4.3.11 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-48041 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8a6f9dafb4e1 Credits Robert DeVore Required privilege...

EulerOS 2.0 SP11 : orc (EulerOS-SA-2024-2589)

According to the versions of the orc packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Stack-based buffer overflow vulnerability exists in orcparse.c of ORC versions prior to 0.4.39. If a developer is tricked to process a specially...

WordPress Limit Login Attempts Plugin <= 5.3 is vulnerable to Bypass Vulnerability

Software Limit Login Attempts Type Plugin Vulnerable versions = 5.3 Fixed in 5.4 OWASP Top 10 A4: Insecure Design Classification Bypass Vulnerability CVE CVE-2022-4534 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 03e4ff962fd9 Credits rezaduty Required privilege Publishe...

WordPress Auto iFrame Plugin <= 1.7 is vulnerable to Cross Site Scripting (XSS)

Software Auto iFrame Type Plugin Vulnerable versions = 1.7 Fixed in 1.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-9449 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 731554979a26 Credits tjoffe Required privilege Author...

WordPress WooCommerce Multilingual & Multicurrency Plugin <= 5.3.7 is vulnerable to Cross Site Scripting (XSS)

Software WooCommerce Multilingual & Multicurrency Type Plugin Vulnerable versions = 5.3.7 Fixed in 5.3.8 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8629 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 83741990a924...

WordPress Backup and Staging by WP Time Capsule Plugin <= 1.22.21 is vulnerable to SQL Injection

Software Backup and Staging by WP Time Capsule Type Plugin Vulnerable versions = 1.22.21 Fixed in 1.22.22 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-48020 Patch priority Low CVSS severity Low 8.5 Developer Claim ownership PSID 257cfd27ce2c Credits Hakiduck Required...

KLA73906 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, cause denial of service. Below is a complete list of vulnerabilities: 1. An elevation of privilege vulnerability in Visual C++...

WordPress ThemeHunk Plugin <= 1.1.0 is vulnerable to Cross Site Scripting (XSS)

Software ThemeHunk Type Plugin Vulnerable versions = 1.1.0 Fixed in 1.1.1 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8433 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID c1773d3ddeac Credits Lucio Sá Required...