Malicious code in lead_front_components (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5e9019a4ceb308c1dc53c702bca160a47e5ace72ef7230b8d21a7e83ad73583a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting

The plugin does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks Create/edit a campaign such as a Black Friday one, check the "Use Opt-in / Subscription / Lead capture form" settings and put...

Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications

Who knew you could connect Moses to threat intelligence? By Jon Munshaw. When the security community usually thinks about the origins of cybersecurity and threat intelligence, the conversation may quickly center around the codebreakers in World War II or the Creeper software developed... This is...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

CVE-2022-0657

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtnggdeleteleads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection...

WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin < 1.2.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin versions 1.2.2. Solution Update the WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin to the latest available versi...

WordPress WP Lead Stream plugin <= 1.2 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress WP Lead Stream plugin versions = 1.2. Solution No patched version available...

WordPress WP Lead Stream plugin <= 1.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress WP Lead Stream plugin versions = 1.2. Solution No patched version available...

WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin < 1.2.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin versions 1.2.2. Solution Update the WordPress Pretty Opt In Lite – Content Locker for Lead Generation plugin to the latest available version at least 1.2.2...

WordPress Sprout Clients – CRM and Lead Management plugin <= 3.1 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Toggle The Debug Mode via Cross-Site Request Forgery CSRF vulnerability discovered in WordPress Sprout Clients – CRM and Lead Management plugin versions = 3.1. Solution Update the WordPress Sprout Clients – CRM and Lead Management plugin to the latest available version at least 3.2...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.7.3 - Multiple Subscriber+ Settings Update vulnerabilities

Multiple Subscriber+ Settings Update vulnerabilities discovered by Yoru Oni in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.7.3. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.7.4...

Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update

The plugin doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings PoC POST Request ON/OFF Captcha: POST /wp-admin/admin-ajax.php HTTP/2 Cookie: any authenticated user User-Agent: Mozilla/5.0 Content-Type:...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.6.9 - Multiple Stored Cross-Site Scripting (XSS) vulnerabilities

Multiple Stored Cross-Site Scripting XSS vulnerabilities discovered by Yoru Oni in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.6.9. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.7.0...

Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/Edit a form and put the following payload in a Filed Name or Default...

CVE-2021-24967

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads...

Cross site scripting

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads...

CVE-2021-24967

CVE-2021-24967 affects the WordPress plugin “Contact Form & Lead Form Elementor Builder” up to version 1.6.3 (pre-1.6.4). The issue is a failure to sanitize/escape certain lead values, enabling unauthenticated users to trigger stored cross-site scripting against logged-in admins viewing the leads...

CVE-2021-24967 Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads...

Contact Form & Lead Form Elementor Builder < 1.6.8 - Subscriber+ Arbitrary Lead Deletion

The plugin does not have capability and CSRF checks in the deleteleadsbackend AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber could delete arbitrary Leads. Attackers could also make any logged in users delete leads via a CSRF attack POST...

WordPress Contact Form & Lead Form Elementor Builder plugin <= 1.6.7 - Arbitrary Lead Deletion vulnerability

Arbitrary Lead Deletion vulnerability discovered by WPScanTeam in WordPress Contact Form & Lead Form Elementor Builder plugin versions = 1.6.7. Solution Update the WordPress Contact Form & Lead Form Elementor Builder plugin to the latest available version at least 1.6.8...