GHSA-7PQ3-326H-F8Q9 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Authenticated Path Traversal to RCE via Configuration Import Summary An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Details The...

WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites

Unknown threat actors are abusing lesser-known code snippet plugins for WordPress to insert malicious PHP code in victim sites that are capable of harvesting credit card data. The campaign, observed by Sucuri on May 11, 2024, entails the abuse of a WordPress plugin called Dessky Snippets, which...

CVE-2023-2005

Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security Center.This issue affects Tenable.Io: before Plugin Feed ID 202306261202 ; Nessus: before Plugin Feed ID 202306261202 ; Security Center: before Plugin Feed ID 202306261202 . This vulnerability could allow a malicious actor with...

CVE-2023-2005

This CVE affects Tenable.Io, Nessus, and Tenable Security Center prior to Plugin Feed ID #202306261202. The issue enables a user with scan-target permissions to place a binary in a specific filesystem location to escalate privileges via the impacted plugin. Remediation per PT-2023-17405 recommend...

AAWP < 3.12.3 - Unsafe URL Handling

The plugin can be used to abuse trusted domains to load malware or other files through it Reflected File Download to bypass firewall rules in companies. PoC wp-content/aawp/public/image.php?url=base64-url will load and download the file from the base64-decoded URL...

PT-2020-17852 · WordPress · Wordpress

Name of the Vulnerable Software and Affected Versions: WordPress versions prior to 5.4.2 WordPress versions 5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4.0.31, 3.9.32, 3.8.34, 3.7.34 Description: The issue arises from the misuse of the...