Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

PortSwigger
Open in Source
#xss#vulnerability#web#apple#google#dos#apache#nodejs#js#git#wordpress#rce#ldap#pdf#oauth#auth#chrome#ssl
CVE-2023-26326: Insecure Deserialization in BuddyForms WordPress Plugin

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

CVE-2023-24415: WordPress ChatBot plugin <= 4.2.8 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud ChatBot ? plugin <= 4.2.8 versions.

Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

In what's a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links. "The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another," Checkmarx researcher Yehuda Gelb said in a Tuesday report. "The attackers referred to retail

CVE-2023-0942: html-admin-setting-screen.php in woocommerce-for-japan/trunk/includes/admin/views – WordPress Plugin Repository

The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API

Categories: Threat Intelligence Magecart threat actors continue to go after e-commerce sites while also collecting data points from fake customers. (Read more...) The post Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API appeared first on Malwarebytes Labs.

CVE-2020-36656

The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.

CVE-2023-0453: Superio – Job Board WordPress Theme

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.