Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. We immediately checked the malicious file and uploaded it to our interna...

CVE-2024-6120

The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2024-6120

CVE-2024-6120 affects the WordPress plugin Sparkle Demo Importer. Public details in connected docs confirm: all versions up to 1.4.7 are vulnerable due to a missing capability check in multiple functions, enabling authenticated attackers with Subscriber-level access (and above) to perform a destr...

com.github.vzakharchenko:chillispot-radius-plugin (>=1.4.10 <=1.4.11), com.github.vzakharchenko:cisco-radius-plugin (>=1.4.10 <=1.4.11) +21 more potentially affected by CVE-2024-5967 via org.keycloak:keycloak-ldap-federation (>=1.0-beta-4 <=22.0.1)

org.keycloak:keycloak-ldap-federation MAVEN version =1.0-beta-4, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =0.1.0, =0.2, =1.0-beta-4, =20.0.0, =20.0.0, =21.1.0, =22.0.1 and more Source cves: CVE-2024-5967 Source advisory: OSV:GHSA-C25H-C27Q-5QPV...

CVE-2024-35757

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in 5 Star Plugins Easy Age Verify allows Stored XSS.This issue affects Easy Age Verify: from n/a through 1.8.2...

CVE-2024-35757 WordPress Easy Age Verify plugin <= 1.8.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in 5 Star Plugins Easy Age Verify allows Stored XSS.This issue affects Easy Age Verify: from n/a through 1.8.2...

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 10, 2024 to June 16, 2024)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest...

CVE-2023-40004 Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins

Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box...

CVE-2023-40004 Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins

Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box...

CVE-2023-48761

Missing Authorization vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13...

Oracle Linux 8 : container-tools:ol8 (ELSA-2024-3968)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-3968 advisory. aardvark-dns 2:1.10.0-1 - update to https://github.com/containers/aardvark-dns/releases/tag/v1.10.0 - Related: Jira:RHEL-2110 2:1.9.0-1 - update to...

CVE-2024-5899

When Bazel Plugin in intellij imports a project either using "import project" or "Auto import" the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance.createProject. This...

container-tools:ol8 bug fix and enhancement update

aardvark-dns 2:1.10.0-1 - update to https://github.com/containers/aardvark-dns/releases/tag/v1.10.0 - Related: Jira:RHEL-2110 2:1.9.0-1 - update to https://github.com/containers/aardvark-dns/releases/tag/v1.9.0 - Related: Jira:RHEL-2110 2:1.8.0-1 - update to...

OPENSUSE-SU-2024:14005-1 gstreamer-plugins-base-1.24.0-2.1 on GA media

These are all security issues fixed in the gstreamer-plugins-base-1.24.0-2.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:13505-1 gstreamer-plugins-bad-1.22.7-5.1 on GA media

These are all security issues fixed in the gstreamer-plugins-bad-1.22.7-5.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:10689-1 cni-plugins-0.9.1-1.3 on GA media

These are all security issues fixed in the cni-plugins-0.9.1-1.3 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11782-1 gstreamer-plugins-bad-1.18.5-5.1 on GA media

These are all security issues fixed in the gstreamer-plugins-bad-1.18.5-5.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:11778-1 gstreamer-plugins-good-1.18.5-3.1 on GA media

These are all security issues fixed in the gstreamer-plugins-good-1.18.5-3.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:13089-1 gstreamer-plugins-ugly-1.22.5-2.1 on GA media

These are all security issues fixed in the gstreamer-plugins-ugly-1.22.5-2.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2024:12513-1 cni-plugins-1.1.1-2.1 on GA media

These are all security issues fixed in the cni-plugins-1.1.1-2.1 package on the GA media of openSUSE Tumbleweed...