PT-2025-5835 · Newgensoft · Newgensoft Omnidocs

Name of the Vulnerable Software and Affected Versions: Newgensoft OmniDocs version 11.0 SP1 03 006 Description: The issue concerns an Insecure Direct Object Reference IDOR in the getuserproperty function, which allows the theft of a user's configuration and personally identifiable information PII...

Small business owners, secure your web shop

An online shop is more than just another way to sell your products. It comes with a responsibility to keep the web shop secure. Cybercriminals are looking to steal your customers’ credit card details, their personal data, and even your revenue. And it’s not as if using a platform that is used by...

Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign

The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel sectors to deliver malware capable of infecting Windows, macOS, and Linux operating systems. According to cybersecurity company Bitdefender, the scam...

CVE-2024-11134

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventerexportbookingscsv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to...

CVE-2024-11134

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventerexportbookingscsv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to...

CVE-2024-11134 Eventer <= 3.9.9 - Missing Authorization to Authenticated (Subscriber+) Bookings Export

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventerexportbookingscsv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to...

CVE-2024-11134 Eventer <= 3.9.9 - Missing Authorization to Authenticated (Subscriber+) Bookings Export

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventerexportbookingscsv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to...

U.S. Dept Of Defense: Air Force candidate PII + recruitment chat logs accessible via BAC/IDOR on █████████ (very large/significant exposure)

A vulnerability was discovered in a Department of Defense-owned Salesforce asset that allowed unauthorized access to sensitive personal information of Air Force candidates. The vulnerability stemmed from a misconfiguration in the Document object, which permitted an attacker to retrieve a large...

U.S. Dept Of Defense: IDOR Exposes PII of Tens of Thousands of Users and Supervisors

A vulnerability was discovered that exposed personally identifiable information PII of tens of thousands of users and supervisors. The vulnerability was found in a system that allowed users to submit a SAAR. By modifying a URL parameter, users could view other users' SAARs, which contained...

The DeepSeek controversy: Authorities ask where does the data come from and how safe is it?

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data. For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence AI field. The...

U.S. Dept Of Defense: ASBS viewing other soldiers PII/Board/Board Voters/ETC

The vulnerability allowed an authenticated user to run GraphQL queries that returned sensitive information on other users, such as their personally identifiable information, board information, and clearance details. The vulnerability was present in version 1.09.00.0 of the affected system and...

CVE-2025-23777 WordPress GDPR Personal Data Reports Plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in willowsconsulting GDPR Personal Data Reports gdpr-personal-data-reports allows Stored XSS.This issue affects GDPR Personal Data Reports: from n/a through = 1.0.5...

CVE-2025-23777

CVE-2025-23777 is an stored XSS in GDPR Personal Data Reports (Willows Consulting Ltd.). The affected product is GDPR Personal Data Reports (versions up to 1.0.5, n/a through 1.0.5). Root cause is improper neutralization of input during web page generation, enabling stored cross-site scripting. C...

CVE-2025-23777 WordPress GDPR Personal Data Reports Plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in willowsconsulting GDPR Personal Data Reports gdpr-personal-data-reports allows Stored XSS.This issue affects GDPR Personal Data Reports: from n/a through = 1.0.5...

WordPress GDPR Personal Data Reports Plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by 0xd4rk5id3 in WordPress Plugin GDPR Personal Data Reports versions = 1.0.5...

E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations. The development marks the first time the Commission has bee...

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data...

India Proposes Digital Data Rules with Tough Penalties and Cybersecurity Requirements

The Indian government has published a draft version of the Digital Personal Data Protection DPDP Rules for public consultation. "Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent," India's Press Information Bureau PIB sa...

New U.S. DoJ Rule Halts Bulk Data Transfers to Adversarial Nations to Protect Privacy

The U.S. Department of Justice DoJ has issued a final rule carrying out Executive Order EO 14117, which prevents mass transfer of citizens' personal data to countries of concern such as China including Hong Kong and Macau, Cuba, Iran, North Korea, Russia, and Venezuela. "This final rule is a...

2024 in AI: It&#8217;s changed the world, but it’s not all good

A popular saying is: “To err is human, but to really foul things up you need a computer.” Even though the saying is older than you might think, it did not come about earlier than the concept of artificial intelligence AI. And as long as we have been waiting for AI technology to become commonplace...