Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

A week in security (January 1 - 8)

Categories: News Tags: Lock and Code S04E01 Tags: LastPass breach Tags: Okta breach Tags: VPN Tags: Synology Tags: fake Flipper Zero Tags: cyber insurance Tags: Wordpress plugin Tags: Twitter data dump Tags: Twitter The most interesting security related news from the week of January 1 to 8. (Read more...) The post A week in security (January 1 - 8) appeared first on Malwarebytes Labs.

Malwarebytes
#ios#android#mac#windows#wordpress
Malware targets 30 unpatched WordPress plugins

Categories: News Tags: WordPress Tags: exploit Tags: vulnerability Tags: plugin Tags: theme Tags: update Tags: linux malware Tags: backdoor It's time to check your website is up to date. (Read more...) The post Malware targets 30 unpatched WordPress plugins appeared first on Malwarebytes Labs.

CVE-2023-0088: swifty-page-manager.php in swifty-page-manager/trunk – WordPress Plugin Repository

The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-0087: Swifty Page Manager <= 3.0.1

The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spm_plugin_options_page_tree_max_width’ parameter in versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2023-0086: JetWidgets for Elementor <= 1.0.12

The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save() function. This makes it possible for unauthenticated attackers to to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be used to enable SVG uploads that could make Cross-Site Scripting possible.

Oracle Database Vault Metadata Exposure

Oracle Database versions 12.1.0.2, 12.2.0.1, 18c, and 19c suffer from a vault metadata exposure vulnerability.

CVE-2015-10013: Update for xss vulnerability, https://make.wordpress.org/plugins/2015… · WebDevStudios/taxonomy-switcher@e1a0d99

A vulnerability was found in WebDevStudios taxonomy-switcher Plugin up to 1.0.3. It has been classified as problematic. Affected is the function taxonomy_switcher_init of the file taxonomy-switcher.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.4 is able to address this issue. It is recommended to upgrade the affected component. VDB-217446 is the identifier assigned to this vulnerability.

CVE-2023-22622: WordPress/wp-cron.php at dca7b5204b5fea54e6d1774689777b359a9222ab · WordPress/WordPress

WordPress through 6.1.1 depends on unpredictable client visits to cause wp-cron.php execution and the resulting security updates, and the source code describes "the scenario where a site may not receive enough visits to execute scheduled tasks in a timely manner," but neither the installation guide nor the security guide mentions this default behavior, or alerts the user about security risks on installations with very few visits.

WordPress Sites Under Attack from Newly Found Linux Trojan

Researchers who discovered the backdoor Linux malware say it may have been around for more than three years — and it targets 30+ plug-in bugs.

Oracle DBMS_REDACT Dynamic Data Masking Bypass

Proof of concept overview on how the DBMS_REDACT Dynamic Data Masking security feature in Oracle can be bypassed. Affected versions include 19c and 21c.