Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eggemplo Gestion-Pymes plugin <= 1.5.6 versions.

**Solution**

 No fix

No patched version is available.

Lokesh Dachepalli discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Gestion-Pymes Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38397: WordPress Gestion-Pymes plugin <= 1.5.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information.
"Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week.
"It can steal

A new information malware strain called **Statc Stealer** has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information.

"Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week.

"It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram."

Written in C++, the malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome.

The first-stage payload, while dropping and executing a decoy PDF installer, also stealthily deploys a downloader binary that proceeds to retrieve the stealer malware from a remote server via a PowerShell script.

The stealer features sophisticated checks to inhibit sandbox detection and reverse engineering analysis, and establishes connections with a command-and-control (C&C) server to exfiltrate the harvested data using HTTPS.

One of the anti-analysis includes a comparison of the file names to inspect for any discrepancies and halt its execution, if found. Targeted web browsers include Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, and Yandex Browser.

"The significance of Statc Stealer's exfiltration technique lies in its potential to steal sensitive browser data and send it securely to its C&C server," the researchers said. "This allows the malware to harvest valuable information, such as login credentials and personal details, for malicious purposes like identity theft and financial fraud."

The findings come as eSentire published an analysis of an updated version of Raccoon Stealer, which had its version 2.1 released earlier this February.

The authors of Raccoon Stealer temporarily halted work on the malware last year following the arrest of Mark Sokolovsky in March 2022, who was exposed as one of the leading developers after he made the fatal mistake of linking a Gmail account he used to sign up for a cybercrime forum under the alias Photix to an Apple iCloud account, thus revealing his real-world identity.

"The updated version includes features such as Signal Messenger data collection, cleaning from Defender detection (likely changing the code, obfuscation to avoid detections), and auto brute-forcing for crypto wallets," eSentire noted last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Noël Jackson Art Direction plugin <= 0.2.4 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Art Direction Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-37983: WordPress Art Direction plugin <= 0.2.4 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Sk. Abul Hasan Animated Number Counters plugin <= 1.6 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Animated Number Counters Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-24393: WordPress Animated Number Counters plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Spider Teams ApplyOnline plugin <= 2.5 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress ApplyOnline – Application Form Builder and Manager Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-24391: WordPress ApplyOnline – Application Form Builder and Manager plugin <= 2.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Swashata WP Category Post List Widget plugin <= 2.0.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Category Post List Widget Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-23828: WordPress WP Category Post List Widget plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Vladimir Statsenko Terms descriptions plugin <= 3.4.4 versions.

**Solution**

 Fixed

Update the WordPress Terms descriptions plugin to the latest available version (at least 3.4.5).

Kindaichi Hiro discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Terms descriptions Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.4.5.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-28779: WordPress Terms descriptions plugin <= 3.4.4 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Teplitsa of social technologies Leyka plugin <= 3.30.2 versions.

**Solution**

 Fixed

Update the WordPress Leyka plugin to the latest available version (at least 3.30.3).

Phd discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Leyka Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.30.3.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39314: WordPress Leyka plugin <= 3.30.2 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

By Habiba Rashid
Operating from Europe, Lolek Hosted offered services that shielded clients' identities and turned a blind eye to the content they posted.
This is a post from HackRead.com Read the original post: Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

1.  **Lolek Hosted, a prominent bulletproof hosting provider, has been dismantled in a coordinated operation by US and Polish authorities.**
2.  **The joint effort aimed to curb cybercriminals’ access to crucial tools for malicious activities by targeting the hosting platform.**
3.  **The takedown was marked by a banner on the seized website displaying logos of the FBI and IRS-CI, confirming the seizure.**
4.  **Both US and Polish authorities, along with law enforcement agencies, played vital roles in the operation, though details remain undisclosed.**
5.  **This action aligns with a broader trend of international law enforcement agencies intensifying efforts to dismantle cybercriminal networks and their supportive platforms.**

In a significant blow to cybercriminals’ anonymous infrastructure, authorities from the United States and Poland successfully dismantled the notorious bulletproof hosting provider, Lolek Hosted, this week. The joint effort aims to curtail cybercriminals’ unfettered access to critical tools for carrying out malicious activities.

As of the early hours of Tuesday, visitors to the Lolek Hosted website were met with a banner prominently displaying the logos of the Federal Bureau of Investigation (FBI) and the Internal Revenue Service – Criminal Investigation (IRS-CI). The banner stated:

> “This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service – Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted.”

The operation also saw the active involvement of the U.S. Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

Domain seizure notice uploaded by authorities (Screenshot: Hackread.com)

Additionally, Polish authorities played a crucial role, with significant support provided by the Regional Prosecutor’s Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.

An official spokesperson from the IRS confirmed the legitimacy of the seizure notice, affirming its role in the takedown. However, both the FBI and Polish authorities refused to provide any details regarding the seizure.

Lolek Hosted, a widely used bulletproof hosting provider, has been operating since 2009 and has established itself as a key player in the realm of anonymous hosting platforms.

Operating from a European data center, the company offered services that shielded clients’ identities and turned a blind eye to the content they posted. This approach made bulletproof hosting services a haven for criminals seeking to disseminate malware, orchestrate botnet attacks, and execute various forms of cybercrime and fraud.

Archive view of the now seized Lolek Hosted domain (Screenshot: Hackread.com)

In recent years, authorities have escalated their efforts to dismantle bulletproof hosting services and other platforms aiding cybercrime by bringing the individuals responsible to justice. Notable cases include the seizure of DoubeVPN, the takedown of the infamous Safe-Inet VPN service, and the INTERPOL’s collaborative effort to dismantle the ’16shop’ phishing platform, resulting in arrests.

The joint operation involving INTERPOL, Indonesian, Japanese, and US authorities, as well as private sector partners, dismantled the ’16shop’ phishing-as-a-service platform. The platform offered phishing kits to hackers, enabling email scams to steal sensitive information from victims. 

Nevertheless, these joint efforts serve as a clear indicator that law enforcement agencies worldwide are intensifying their efforts to dismantle the foundations of cybercriminal networks, leaving no safe haven for those seeking to exploit the digital realm for illicit gains.

1.  13 Domains Linked to DDoS-For-Hire Services Seized
2.  NetWire Malware Site and Server Seized, Admin Arrested
3.  Researcher Exposes Crypto Scam Network of 300 Domains
4.  7 Domains Used in Pig Butchering Cryptocurrency Scam Seized
5.  Seized: 9 Crypto Laundering Sites Used by Ransomware Gangs

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedpress_calendar' shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Tag

#web