#wordpress

WP DSGVO Tools (GDPR) <= 3.1.23 had an AJAX action, ‘admin-dismiss-unsubscribe‘, which lacked a capability check and a nonce check and was available to unauthenticated users, and did not check the post type when deleting unsubscription requests. As such, it was possible for an attacker to permanently delete an arbitrary post or page on the site by sending an AJAX request with the “action” parameter set to “admin-dismiss-unsubscribe” and the “id” parameter set to the post to be deleted. Sending such a request would move the post to the trash, and repeating the request would permanently delete the post in question.

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.

The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads.

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

We look at a recent WordPress plugin compromise, explain what it is, and also what you have to do to ensure your blog and visitors are safe. Categories: Exploits and vulnerabilities Tags: api compromise key optinmonster redirect wordpress *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/update-your-optinmonster-wordpress-plugin-immediately/ ) )* The post Update your OptinMonster WordPress plugin immediately appeared first on Malwarebytes Labs.

One of the hands-on experts from our forums shares their advice on how to protect your data, security, and privacy. Categories: Malwarebytes news Tags: data privacy security tips *( Read more... ( https://blog.malwarebytes.com/malwarebytes-news/2021/10/tips-to-protect-your-data-security-and-privacy-from-an-hands-on-expert/ ) )* The post Tips to protect your data, security, and privacy from a hands-on expert appeared first on Malwarebytes Labs.

Shrootless is a vulnerability found in macOS that can bypass the System Integrity Protection by abusing inherited permissions. Categories: Exploits and vulnerabilities Mac Tags: cve-2021-30892 macOS post installation script Shrootless SIP system_installid zsh zshenv *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/10/shrootless-microsoft-finds-apple-vulnerability-in-macos/ ) )* The post Shrootless: Microsoft finds Apple macOS vulnerability appeared first on Malwarebytes Labs.

The Request a Quote WordPress plugin before 2.3.9 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users.