Unyson < 2.7.27 - Cross Site Scripting

The plugin does not sanitise and escape the QUERYSTRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters id: CVE-2022-2219 info: name: Unyson 2.7.27 - Cross Site Scripting author: r3Y3r53 severity: high description:...

EUVD-2021-11779

Malware in sbrugna...

EUVD-2021-23464

Malware in sbrugna...

CVE-2025-54872 onion-site-template tor Secrets Baked Into Image

onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were...

CVE-2025-54872

The CVE-2025-54872 entry concerns onion-site-template, where versions including commit 3196bd89 embed a baked-in Tor image containing secrets copied from an onion domain. This creates a risk that a website could be compromised if the baked-in image is shared or if someone gains access to the user...

150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe...

WordPress Munk Sites 1.0.7 Cross Site Request Forgery

WordPress Munk Sites plugin versions 1.0.7 and below suffer from a cross site request forgery vulnerability that allows an adversary to trick an admin into installing arbitrary plugins. 🚀 CVE-2025-25101 - WordPress Munk Sites Plugin = 1.0.7 - CSRF to Arbitrary Plugin Installation 📌 Overview...

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. "The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control C2 server, in some cases a fake browser...

YARD's default template vulnerable to Cross-site Scripting in generated frames.html

Summary The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting XSS attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. Details The vulnerability stems from mishandling...

Ukrainian Hacker Suspected to be Behind "Free Download Manager" Malware Attack

The maintainers of Free Download Manager FDM have acknowledged a security incident dating back to 2020 that led to its website being used to distribute malicious Linux software. "It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribu...

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy's Sucuri, "leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites...

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

A new malicious campaign has compromised over 15,000 WordPress websites in an attempt to redirect visitors to bogus Q&A portals. "These malicious redirects appear to be designed to increase the authority of the attacker's sites for search engines," Sucuri researcher Ben Martin said in a report...

Security Vulnerabilities in Covert CIA Websites

Back in 2018, we learned that covert system of websites that the CIA used for communications was compromised by--at least--China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. Were now learning that the CIA is still "using an irresponsibly secured system...

CVE-2021-37770

Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with...

CVE-2021-24867

Numerous Plugins and Themes from the AccessPress Themes aka Access Keys vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to...

CVE-2021-24867

CVE-2021-24867 relates to backdoored AccessPress Themes plugins/themes distributed via the vendor site (not from wordpress.org). The vulnerability was exploited in the wild to deploy web shells and site defacements, observed by Talos IR as part of initial access through exploitation of a WordPres...

WordPress 5.8.2 Stored XSS Vulnerability

WordPress is the world’s most popular content management system that, according to w3techs, is used by over 40% of all websites. This wide adoption makes it a top target for cyber criminals who seek to compromise high-traffic websites or infect as many web servers as possible. Its code is heavily...

Code injection

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

CVE-2021-36888 WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

PT-2021-21398

Name of the Vulnerable Software and Affected Versions Image Hover Effects Ultimate versions prior to 9.6.1 Description The issue is an Unauthenticated Arbitrary Options Update vulnerability. This vulnerability can lead to a full website compromise. Recommendations For versions prior to 9.6.1,...