AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

*   **AcyMailing 5.10.18**
    
    December 10, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.3**
    
    December 18, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.19.2**
    
    December 10, 2020
    
    **Improvements**
    
    *   New button to be redirected on the wordpress support of AcyMailing
    
    **Bug fixes**
    
*   **AcyMailing 6.19.1**
    
    December 9, 2020
    
    **Bug fixes**
    
*   **AcyMailing 5.10.17**
    
    December 2, 2020
    
    **Improvements & fixes**
    
*   **AcyMailing 6.19.0**
    
    December 1, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.18.2**
    
    November 12, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.18.0**
    
    November 9, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.17.1**
    
    October 28, 2020
    
    **Bug fixes**
    
    *   Fixed date for scheduled campaign showing with the timezone
    
*   **AcyMailing 6.17.0**
    
    October 19, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.16**
    
    October 15, 2020
    
    **Features**
    
    *   A new plugin lets you restrict the available fields when importing users from the front-end
    
    **Improvements & fixes**
    
*   **AcyMailing 6.16.4**
    
    October 8, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.3**
    
    October 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.2**
    
    October 1, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.16.1**
    
    September 29, 2020
    
    **Bug fixes**
    
    *   Hide php warning from other plugins
    
*   **AcyMailing 6.16.0**
    
    September 28, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.15.1**
    
    Septempber 9, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.15.0**
    
    September 7, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.14.1**
    
    August 19, 2020
    
    **Improvements**
    
    *   Remove check version in the starter version
    
    **Bug fixes**
    
*   **AcyMailing 6.14.0**
    
    August 17, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 5.10.15**
    
    August 7, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.13.3**
    
    August 3, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.2**
    
    July 30, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.1**
    
    July 29, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.13.0**
    
    July 27, 2020
    
    **New features**
    
    *   New design and UX for listing toolbar
    *   Added the possibility to create a list on the import in the list selection modal
    *   Added settings for the following add-ons: article, DOCman, DPcalendar, Easyblog, Easyprofile, EventBooking, FlexiContent, Hikashop, ICagenda, JDownloads, JEvent, K2, RSEventPro, RSS, Seblod, Virtumart
    *   Added settings for the following add-ons: post, page, RSS, The Event Calendar, Woocommerce
    *   New Giphy integration in the drag and drop editor
    *   Added the possibility to create custom view for each add-on to override the content inserted in the drag and drop editor
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.12.1**
    
    July 27, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.12.0**
    
    July 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.11.1**
    
    June 17, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.11.0**
    
    June 15, 2020
    
    **New features****Improvements**
    
    *   You can now add a message at the beginning of emails sent as tests
    *   Better display for the dynamic content insertion options (insertion of site articles in an email for example)
    *   The emails listing has been re-made: the "Campaigns" menu is renamed into "Emails" and the listing show four types of email
    *   The user listing has been improved, the data is displayed in a better way, and you can filter users by subscription
    *   The email creation has been improved, you can now pre-select the type of email you want to create (campaign / auto / scheduled / welcome / unsubscribe)
    *   You can now Unsubscribe / re-subscribe for all the lists at a time in the user edition page
    *   The bounce rule creation page has been improved and a presentation of the bounce handling feature has been added
    *   New export button on the lists listing to export subscribers
    *   The custom fields edition page has been redesigned and simplified
    *   The lists listing page has been improved and more information has been added
    *   New description field for lists, it will be added on the profile page as a tooltip in a future release
    *   The user "Source" is now easier to understand
    *   Cancel buttons added in various locations (import / export / mail edition...)
    *   New full translation in Japanese, Lithuanian, Spanish
    *   More translations in Catalan, Czech, Dutch, German, German (Switzerland), Norwegian (Bokmål), Polish, Romanian, Slovenian, Swedish
    
    **Bug fixes**
    
*   **AcyMailing 6.10.4**
    
    May 13, 2020
    
    **Improvements**
    
    *   PHP 7.4 compatibility
    *   Much easier way to attach a site with a license in the configuration
    *   The length of the "Email preview line" option is now limited to 255 characters
    *   The "Every week on Monday, Friday" trigger now takes the site's timezone into account in automations and periodic campaigns
    *   New security added on the custom fields names and unique code generation
    *   Better custom fields migration from the v5
    *   The shared servers email addresses are now handled in the bounce handling
    *   A new "revealonline" CSS class is now available, to hide something in the receiver's mailbox and show it on the online version
    *   New full Serbian translation
    *   Translation update and corrections for Danish, German, Finnish, French, Norwegian, Romanian, Russian, Slovenian, Swedish, Turkish and Ukrainian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.14**
    
    May 13, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.10.2**
    
    April 21, 2020
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.10.1**
    
    April 7, 2020
    
    **Bug fixes**
    
*   **AcyMailing 6.10.0**
    
    April 6, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.9.2**
    
    March 23, 2020
    
    Vulnerability on file upload fixed when having admin access to AcyMailing pages. Any wrong file uploaded will be cleaned during the update process.  
    We strongly recommend to update AcyMailing as soon as possible, more information will be added in the related CVE
    
    **Bug fixes**
    
*   **AcyMailing 6.9**
    
    March 9, 2020
    
    **Improvements**
    
    *   The user import choices are now stored
    *   Greatly improved performances on the click tracking system, emails should be sent much faster
    *   Added the "hideonline" CSS class on emails. When added on an element, it will be hidden on the archive and "View it online" link
    *   Added the click statistics on the campaigns listing
    *   The detailed statistics are now no longer ordered randomly if the sending date is the same for every user
    *   You can now search multiple words in the dropdown fields (like the mail selection dropdown in the statistics page)
    *   Improved the "Check database integrity" feature to clean data from some AcyMailing tables, and translate result
    *   Improved the way custom fields are displayed when inserted in an email, for dropdown, radio and checkbox fields
    *   The welcome email is now not sent when the user isn’t active
    *   Better display for the "Send settings" step of campaigns
    *   Queued emails are now automatically removed for inactive users two days after the sending date
    *   \[addon\] New add-on for ICagenda, event insertion and user filter by event subscription
    *   \[addon\] Added compatibility with HikaShop 4
    *   Added multi-language compatibility when inserting articles in emails (for the link applied on the title)
    *   Tracked links are not processed by the sef system anymore, for special sef extension compatibility
    *   Improved the router for a better compatibility with the Joomla sef system on unsubscribe and online links, for multi-language sites
    *   AcyMailing will now instantly know it when you attached your website to your license when trying to update in WordPress
    *   A better url is used for the "Terms and conditions" post
    *   Code adaptation for WordPress standards
    *   Added compatibility with the plugin Schema and structured data for wp
    *   More translations for Chinese, Norwegian, Romanian, Slovenian
    *   Full Swedish translation
    
    **Bug fixes**
    
*   **AcyMailing 5.10.13**
    
    March 3, 2020
    
    **Modifications**
    
*   **AcyMailing 6.8**
    
    February 3, 2020
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.7**
    
    January 13, 2020
    
    **New features****Improvements**
    
    *   Editor: auto-hide the test zone if the email is successfully sent
    *   Editor: the title is now added on inserted images
    *   Editor: when inserting a separator, a new option lets you add some space below and above
    *   Editor: the drag & drop editor now opens in full screen mode
    *   Better interface for the "Test" step of the Campaign's edition page
    *   Improved the AcyMailing left menu when the window is resized
    *   Improved the AcyMailing header's display on small screens and tablets
    *   "Cancel" buttons have been added on multiple edition pages (List, user, bounce rule, custom field...)
    *   The add-ons are now ordered alphabetically for an easier search
    *   Improved performances on style and script loading for each AcyMailing page
    *   The FontAwesome library isn't loaded anymore, used fonts are now embed in AcyMailing to improve the page load speed
    *   New option in the mail configuration to disable automatic hyphens in paragraphs for sent emails
    *   New option to show the site's header on the unsubscribe page
    *   The "Bounce email address" option is now available in the free version in the "Mail settings" tab of the configuration
    *   In the bounce handling system, you can now connect to a mailbox using the "Pop3 without imap extension" method
    *   The "source" is automatically completed when a new AcyMailing user is created
    *   Automations: added a confirmation when deleting an email in the "Add an email in the queue" action
    *   Translation improvements: German, French, Hungarian, Norwegian, Russian, Turkish, Ukrainian
    *   New full translation: Slovenian
    
    **Bug fixes**
    
*   **AcyMailing 5.10.12**
    
    January 10, 2020
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.6.0**
    
    December 2, 2019
    
    **New features****Improvements**
    
    *   All the add-ons now have options for the automatic campaigns to automatically send the new content to your users
    *   Better alignment for Follow buttons in Outlook 2007 - 2010
    *   Better UX for the list's edition page
    *   The shown statistics numbers are now consistent in the campaigns listing and the statistics page
    *   In some mail clients, a 1px border may appear around your emails, this is no longer the case
    *   The mobile preview has been inproved, and no more double scrollbar
    *   The default templates have been remade to include this version's improvements
    *   The campaign's settings are now applied on the dynamic content inserted in your emails (like the site's articles/posts)
    *   Improved the campaigns edition page display and removed the hint popup
    *   Compatibility with the GDPR plugin
    *   The Add-ons menu is now translated in the Joomla menu
    *   The "Price text" field is now taken into account in the EventBooking add-on
    *   New partial translations, imported from AcyMailing 5: Arabic, Bosnian, Bulgarian, Catalan, Chinese, Croatian, Estonian, Finnish, Galician, Hebrew, Icelandic, Indonesian, Japanese, Latvian, Lithuanian, Macedonian, Persian, Serbian, Sindhi, Swahili, Thai, Urdu, Vietnamese, Welsh
    
    **Bug fixes**
    
*   **AcyMailing 5.10.11**
    
    November 27, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.5.0**
    
    November 5, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.4.0**
    
    October 14, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.3.1**
    
    September 25, 2019
    
    **Bug fixes**
    
*   **AcyMailing 6.3.0**
    
    September 23, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.2.2**
    
    August 30, 2019
    
    This is a patch release to address a security issue on the file upload custom field. We highly recommend to update to the v6.2.2 as soon as possible for websites matching all of the following conditions:
    
    *   The Enterprise edition of AcyMailing is used
    *   The version 6.2.0 or 6.2.1 is used
    *   A "File" custom field is created and visible for the users in a front-end subscription form (the module on Joomla or the widget on WordPress)
    *   An other custom field other than a "File" field must be displayed on the form, in addition to the "Name", "Email" and "File" fields
    
    If your website doesn't match one of these conditions it is not concerned by the security issue, but we still recommend you to keep AcyMailing updated when a new version is available.
    
*   **AcyMailing 5.10.10**
    
    August 28, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.1**
    
    August 27, 2019
    
    **Improvements and bug fixes**
    
*   **AcyMailing 6.2.0**
    
    August 20, 2019
    
    **New features and improvements****Bug fixes**
    
*   **AcyMailing 6.1.10**
    
    August 5, 2019
    
    **Bug fixes**
    
*   **AcyMailing 5.10.9**
    
    July 31, 2019
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 6.1.9**
    
    July 30, 2019
    
    **New features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.8**
    
    July 15, 2019
    
    There aren't much modifications in this version, but it had to be released as the "Send settings" step of the campaigns edition workflow could be blocked in some cases when scheduling the campaign, saving as draft then returning on this step.
    
    **Modifications**
    
*   **AcyMailing 6.1.7**
    
    July 8, 2019
    
    **Improvements****Bug fixes****Integrations**
    
*   **AcyMailing 6.1.6**
    
    June 18, 2019
    
    This version is mainly an improvements and maintenance release, mainly focusing on the editor and sent emails.
    
    **Improvements****Bug fixes**
    
*   **AcyMailing 5.10.8**
    
    June 18, 2019
    
    **Improvements****Bug fixes****Plugins**
    
*   **AcyMailing 6.1.5**
    
    June 3, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.4**
    
    April 23, 2019
    
    **Features****Improvements****Bug fixes**
    
*   **AcyMailing 6.1.3**
    
    April 2, 2019
    
*   **AcyMailing 5.10.7**
    
    March 25, 2019
    
*   **AcyMailing 5.10.6**
    
    March 18, 2019
    
*   **AcyMailing 6.1.2**
    
    March 11, 2019
    
*   **AcyMailing 6.1.1**
    
    February 13, 2019
    
*   **AcyMailing 6.0.4**
    
    February 6, 2019
    
*   **AcyMailing 5.10.5**
    
    January 10, 2019
    
*   **AcyMailing 6.0.3**
    
    January 9, 2019
    
*   **AcyMailing 6.0.2**
    
    December 17, 2018
    
*   **AcyMailing 6.0.1**
    
    November 28, 2018
    
*   **AcyMailing 6 Beta**
    
    November 19, 2018
    
*   **AcyMailing 6 Alpha 3**
    
    October 2, 2018
    
*   **AcyMailing 6 Alpha 2**
    
    August 29, 2018
    
*   **AcyMailing 6 Alpha 1**
    
    August 22, 2018

CVE-2023-28733: Changelog - AcyMailing

Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

**Advisory CVE-2023-28732, Missing access control affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28732 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla 

**Title**: Missing access control affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 

**Impacts (CAPEC)**:  

*   CAPEC-115 Authentication Bypass 
*   CAPEC-126 Path Traversal 

**CVSS 3.1**: 

*   6.5 Medium 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 

**Source Repository (OSS)**: https://github.com/acyba/acymailing/  

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://github.com/acyba/acymailing/releases/tag/v8.3.0 
*   https://www.bugbounty.ch/advisories/CVE-2023-28732  

**CVE Description**: 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Missing access control allows to list and access files containing sensitive information from the plugin itself and access to system files due to path traversal, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Manipulate the URL to list and get access to the logs of the plugin itself, leaking PII of users 
*   Manipulate the URL to list and get access to system files (e.g. in the root directory of Joomla). Only allowed file-types can be listed and accessed 
*   Upload arbitrary files. Only allowed file-types can be uploaded 

How to check for exploitation: 

*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs” or suspicious access to files in “/media/com\_acym/upload/logs/” 
*   Check access logs for requests in the form of “/component/acym/frontfile.html?currentFolder=media/com\_acym/upload/logs/../../../..” or suspicious access to allowed file-types on the entire system accessible by the user of the webserver 
*   Check for suspicious files uploaded in /media/com\_acym/upload/ 
*   Default allowed file-types are: zip, doc, docx, pdf, xls, txt, gzip, rar, jpg, jpeg, gif, xlsx, pps, csv, bmp, ico, odg, odp, ods, odt, png, ppt, swf, xcf, mp3, wma 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

CVE-2023-28732: CVE-2023-28732 - Bug Bounty Switzerland

AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

**Advisory CVE-2023-28731, Unauthenticated RCE affecting the AcyMailing plugin for Joomla**

**CVE ID**: CVE-2023-28731 

**Vendor**: AcyMailing 

**Product**: Newsletter Plugin for Joomla in the Enterprise version 

**Title**: Unauthenticated RCE affecting the AcyMailing plugin for Joomla 

**Vulnerable Versions**: < 8.3.0 

**Problem Type (CWE)**:  

*   CWE-20 Improper Input Validation 
*   CWE-434 Unrestricted Upload of File with Dangerous Type 

**Impacts (CAPEC)**: CAPEC-242 Code Injection 

**CVSS 3.1**:  

*   9.8 Critical 
*   CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

**References**:  

*   https://www.acymailing.com/change-log/  
*   https://www.bugbounty.ch/advisories/CVE-2023-28731  

**CVE Description:** 

Introduction: 

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress. 

The vulnerability: 

Unrestricted upload of files allows PHP code to be injected, leading to unauthenticated remote code execution, when being granted access to the campaign’s creation on front-office. 

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. 

The steps to exploit the vulnerability: 

*   Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated 
*   Editing an AcyMailing template and initiate sending a test email 
*   One of the resulting requests sent to the plugin sets a thumbnail, this request can be manipulated and accepts PHP code, which gets stored on the system 
*   The resulting PHP file is accessible and enables execution of the injected code 

How to check for exploitation: 

*   The thumbnails are stored in the following location: /media/com\_acym/images/thumbnails/ 
*   Signs of a successful exploitation would be the presence of PHP files in this directory 
*   Check for suspicious POST requests similar to “/index.php?option=com\_acym&tmpl=component&4f0877f7c82462a794cb5a042282dbf0=1&ctrl=frontmails&task=setNewThumbnail” 

**Solution**: 

*   update to a fixed version (>= 8.3.0) 

**Workaround**: 

*   Prevent the execution of PHP files in the thumbnail directory to prevent the injected code from being executed 

**Timeline**: 

*   2023-02-01: reported 
*   2023-03-09: initial vendor notification 
*   2023-03-10: initial vendor response 
*   2023-03-20: release of fixed version 
*   2023-03-30: coordinated public disclosure 

**Credits**: 

*   Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland 
*   Coordinator: Bug Bounty Switzerland 

Diese Website verwendet Cookies, um Ihr Nutzererlebnis zu verbessern. Wir gehen davon aus, dass Sie damit einverstanden sind. Wenn nicht können sie die Cookie Einstellungen anpassen.  

  
  
Akzeptieren

CVE-2023-28731: CVE-2023-28731 - Bug Bounty Switzerland

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Vova Anokhin WordPress Shortcodes Plugin — Shortcodes Ultimate plugin <= 5.12.6 versions.

**Solution**

Update the WordPress Shortcodes Ultimate plugin to the latest available version (at least 5.12.7).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Shortcodes Ultimate Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.12.7.

**6 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-25040: WordPress Shortcodes Ultimate plugin <= 5.12.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions.

**Solution**

Update the WordPress Ocean Extra plugin to the latest available version (at least 2.1.3).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Ocean Extra Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.1.3.

**9 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24399: WordPress Ocean Extra plugin <= 2.1.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Labib Ahmed Image Hover Effects For WPBakery Page Builder plugin <= 4.0 versions.

**Solution**

Update the WordPress Image Hover Effects For WPBakery Page Builder plugin to the latest available version (at least 5.0).

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Image Hover Effects For WPBakery Page Builder Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.0.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23681: WordPress Image Hover Effects For WPBakery Page Builder plugin <= 4.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Catchsquare WP Smart Preloader plugin <= 1.15 versions.

**Solution**

Update the WordPress WP Smart Preloader plugin to the latest available version (at least 1.15.1).

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WP Smart Preloader Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.15.1.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23675: WordPress WP Smart Preloader plugin <= 1.15 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Team Heateor Fancy Comments WordPress plugin <= 1.2.10 versions.

**Solution**

Update the WordPress Fancy Comments WordPress plugin to the latest available version (at least 1.2.11).

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Fancy Comments WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.2.11.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23670: WordPress Fancy Comments WordPress plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability - Patchstack

Reflected Cross-Site Scripting (XSS) vulnerability in GTmetrix GTmetrix for WordPress plugin <= 0.4.5 versions.

**Solution**

Update the WordPress GTmetrix for WordPress plugin to the latest available version (at least 0.4.6).

Nguyen Xuan Chien discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress GTmetrix for WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 0.4.6.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23677: WordPress GTmetrix for WordPress plugin <= 0.4.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

A new "comprehensive toolset" called AlienFox is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.
"The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security

Cloud Security / Cyber Threat

A new "comprehensive toolset" called **AlienFox** is being distributed on Telegram as a way for threat actors to harvest credentials from API keys and secrets from popular cloud service providers.

"The spread of AlienFox represents an unreported trend towards attacking more minimal cloud services, unsuitable for crypto mining, in order to enable and expand subsequent campaigns," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

The cybersecurity company characterized the malware as highly modular and constantly evolving to accommodate new features and performance improvements.

The primary use of AlienFox is to enumerate misconfigured hosts via scanning platforms like LeakIX and SecurityTrails, and subsequently leverage various scripts in the toolkit to extract credentials from configuration files exposed on the servers.

Specifically, it entails searching for susceptible servers associated with popular web frameworks, including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress.

Recent versions of the tool incorporate the ability to establish persistence on an Amazon Web Services (AWS) account and escalate privileges as well as automate spam campaigns through the compromised accounts.

Attacks involving AlienFox are said to be opportunistic, with the scripts capable of gathering sensitive data pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho.

Two such scripts are AndroxGh0st and GreenBot, which were previously documented by Lacework and Permiso p0 Labs.

While Androxgh0st is designed to parse a configuration file for specific variables and pull out their values for follow-on abuse, GreenBot (aka Maintance) contains an "AWS persistence script that creates a new administrator account and deletes the hijacked legitimate account."

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

Maintance further incorporates licensing checks, suggesting that the script is being offered as a commercial tool, and the ability to perform reconnaissance on the web server.

SentinelOne said it identified three different variants of the malware (from v2 to v4) dating back to February 2022. A notable functionality of AlienFoxV4 is its ability to check if an email address is already linked to an Amazon.com retail account, and if not, create a new account using that address.

To mitigate threats posed by AlienFox, organizations are recommended to adhere to configuration management best practices and follow the principle of least privilege (PoLP).

"The AlienFox toolset demonstrates another stage in the evolution of cybercrime in the cloud," Delamotte said. "For victims, compromise can lead to additional service costs, loss in customer trust, and remediation costs."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wordpress