CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-1305

The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the paidywebhookpermissioncheck function that unconditionally returns true when the webhook signature header is omitted...

Criminals are using AI website builders to clone major brands

AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website. Cybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a site's look and feel, plug i...

CVE-2025-14461

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

CVE-2025-14461

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

EUVD-2025-206808

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

Fake Bureau of Motor Vehicles texts are after your personal and banking details

Scammers are sending out texts that claim to be from the Bureau of Motor Vehicles BMV, saying that you have outstanding traffic tickets. Here's an example, which was sent to one of our employees. “Ohio BMV Final Notice: Enforcement Begins September 10nd. Our records indicate that as of today, you...

Airbnb scam sends you to a fake Tripadvisor site, takes your money

One of my co-workers who works on Malwarebytes’ web research team just witnessed a real life example of how useful his work is in protecting people against scammers. Stefan decided to visit Amsterdam with his girlfriend, and found a very nice and luxurious apartment in Amsterdam on Airbnb. In the...

Fake Flipper Zero websites look to cause a big splash

Security researchers are advised to be on the lookout for scammers targeting their interest in the latest hard to obtain security testing tools. Flipper Zero, a slick looking portable multi-tool which frequently makes its way into the news, is one of the hottest pieces of kit around for security...

Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

Microsoft on Tuesday disclosed that a large-scale phishing campaign targeted over 10,000 organizations since September 2021 by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication MFA. "The attackers then used the stolen credentials and session...

CVE-2021-26631

Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. A remote attacker can exploit this vulnerability to manipulate the total order amount into a negative number and then pay for the order...

Top 3 Attack Trends in API Security – Podcast

In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via “scrape for resale” and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day. In a separate case – of a loan application frau...

The vulnerability of MasterCard Tokenisation Service (MDES) and Visa Tokenisation Service (VTS) lies in the possibility of arbitrary modification of the “Amount” field in the Authorization Request ISO 8583 packet. This allows attackers to use cryptographic algorithms to carry out fraudulent transactions.

The vulnerability of MasterCard Tokenisation Service MDES and Visa Tokenisation Service VTS lies in the possibility of arbitrary modification of the “Amount” field in the Authorisation Request ISO 8583 packet. Exploiting this vulnerability could allow attackers to use cryptographic keys to carry...

Online Merchants: Prevent Fraudsters from Becoming Holiday Grinches

As the holiday shopping season gets into full swing, merchants aren’t the only ones expecting to have a prosperous year. Fraudsters, too, are out to grab their illicit share of the money changing hands or accounts in the weeks ahead. Especially susceptible to theft by fraud are millions of...

Threat from Organized Cybercrime Syndicates Is Rising

From encrypting communications to fencing ill-gotten gains on underground sites, organized crime is cashing in on the digital revolution. The latest organized crime threat assessment from Europol issues a dire warning about the corrosive effect the rising influence of criminal syndicates is havin...

Caught in the payment fraud net: when, not if?

Sometimes, I think there are three certainties in life: death, taxes, and some form of payment fraud. Security reporter Danny Palmer experienced this a little while ago, and has spent a significant amount of time tracking the journey of his card details from the UK to Suriname. His deep-dive...

Hackers Can Manipulate Media Files You Receive Via WhatsApp and Telegram

If you think that the media files you receive on your end-to-end encrypted secure messaging apps can not be tampered with, you need to think again. Security researchers at Symantec yesterday demonstrated multiple interesting attack scenarios against WhatsApp and Telegram Android apps, which could...

The Cost of Cybercrime

Really interesting paper calculating the worldwide cost of cybercrime: Abstract: In 2012 we presented the first systematic study of the costs of cybercrime. In this paper,we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone...

Business banking fraud. Keep your eggs in TWO baskets. Here’s why…

This post has a cautionary tale all about spreading your business banking fraud risk. So, does your business have two bank accounts, with different banks? No? Then you would be well advised to do so, or risk being left unable to trade. WHY? Business banking ‘cyber’ fraud is increasingly common; I...