Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Codedrafty Mediabay – Media Library Folders plugin <= 1.6 versions.

**Solution**

 No fix

No patched version available. This plugin has been closed as of September 12, 2023 and is not available for download. This closure is temporary, pending a full review.

emad discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Mediabay Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-46066: WordPress Mediabay plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Timely - Appointment software Timely Booking Button plugin <= 2.0.2 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Timely Booking Button Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44987: WordPress Timely Booking Button plugin <= 2.0.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

By Waqas
If you've downloaded a rocket alert app from a third-party source, ensure it's spyware-free and delete it from your device.
This is a post from HackRead.com Read the original post: Hackers Target Israeli Rocket Alert App Users with Spyware

While the identity of the culprits behind this spyware campaign remains uncertain, their tactics closely resemble those used by pro-Palestinian hackers, such as AnonGhost.

On October 9th, 2023, **Hackread.com reported** on the infiltration by pro-Palestinian hackers associated with AnonGhost into the Red Alert app, an Israeli application designed by Kobi Snir exclusively for delivering missile and rocket alerts to the Israeli population. Seizing this opportunity, AnonGhost maliciously disseminated fabricated rocket, missile, and even nuclear bomb alerts to Israelis.

Now, Cloudflare’s Cloudforce One Threat Operations Team has uncovered a similar incident, this time targeting a different rocket alert app. The researchers identified a malicious website (redalertsme) hosting a Google Android Application (APK) impersonating the legitimate RedAlert – Rocket Alerts application originally created by Elad Nava. The motive behind this malicious website was to infect unsuspecting Israeli app users with spyware.

Rocket alert apps have gained immense popularity in Israel, providing crucial alerts to citizens about incoming air strikes, which have sadly become an all too common occurrence. The misuse of these applications, as witnessed in the recent hack, has the potential to create widespread panic and further escalate an already tense situation.

According to a **blog post** by Cloudflare, the malicious domain in question offered both iOS and Android versions of the mobile application. However, while the link for the iOS version directed users to the legitimate App Store page, the Android version was a manipulated variant.

Screenshot of the malicious website (Cloudflare)

The malicious application, while retaining elements of the original code, had been equipped with the capability to collect sensitive user data. This included access to contacts, call logs, text messages, account information, SIM card details, and a list of installed applications on the victim’s device.

To make matters worse, the malicious app operated stealthily in the background, continuously harvesting data from the compromised device. The stolen information was then sent to a remote server.

Although the data was encrypted, the use of RSA encryption with a bundled public key within the app made it theoretically possible for anyone intercepting the data packets to decrypt the information.

The website hosting the spyware-infested version of RedAlert has since been taken down. However, users who may have unwittingly installed this malicious application remain at risk. They are advised to take immediate action to cleanse their devices of the spyware.

To determine whether their devices have been compromised, users are urged to check the permissions that the app has requested. Suspicious permissions include access to call logs, contacts, phone features, and SMS capabilities. These indicators should be taken seriously to ensure the security of their devices and personal information.

While malicious **AI chatbots like WormGPT and FraudGPT** assist malicious actors in generating novel ideas with user-friendly technology, traditional cyber warfare tactics, such as hackvisits, persist. Presently, both pro-Palestinian and Israeli hackvisits **are focusing on** each other’s critical ICS products.

As hackers continuously innovate, it is crucial for users to remain vigilant and informed about safeguarding themselves from the ever-evolving landscape of cyber threats.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Hamas hacked the smartphones of over 100 IDF soldiers
3.  Hamas posed as women to con IDF into downloading malware
4.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
5.  Hamas hacked phones of IDF soldiers with seductive phones of women

Hackers Target Israeli Rocket Alert App Users with Spyware

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tyche Softwares Abandoned Cart Lite for WooCommerce plugin <= 5.15.2 versions.

**Solution**

 Fixed

Update the WordPress Abandoned Cart Lite for WooCommerce plugin to the latest available version (at least 5.16.0).

Robert DeVore discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Abandoned Cart Lite for WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.16.0.

**Other vulnerabilities in this plugin**

 0 present

 5 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44986: WordPress Abandoned Cart Lite for WooCommerce plugin <= 5.15.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Robin Wilson bbp style pack plugin <= 5.6.7 versions.

**Solution**

 Fixed

Update the WordPress bbp style pack plugin to the latest available version (at least 5.6.8).

Found this useful? Thank NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) for reporting this vulnerability. Buy a coffee ☕

NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress bbp style pack Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 5.6.8.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44984: WordPress bbp style pack plugin <= 5.6.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributo+) Stored Cross-Site Scripting (XSS) vulnerability in Cytech BuddyMeet plugin <= 2.2.0 versions.

**Solution**

 Fixed

Update the WordPress BuddyMeet plugin to the latest available version (at least 2.3.0).

Found this useful? Thank NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) for reporting this vulnerability. Buy a coffee ☕

NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress BuddyMeet Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.3.0.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44985: WordPress BuddyMeet plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Tiny Carousel Horizontal Slider plugin <= 8.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Tiny Carousel Horizontal Slider Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44229: WordPress Tiny Carousel Horizontal Slider plugin <= 8.1 - Cross Site Scripting (XSS) - Patchstack

New research shows the number of deepfake videos is skyrocketing—and the world's biggest search engines are funneling clicks to dozens of sites dedicated to the nonconsensual fakes.

Google’s and Microsoft’s search engines have a problem with deepfake porn videos. Since deepfakes emerged half a decade ago, the technology has consistently been used to abuse and harass women—using machine learning to morph someone’s head into pornography without their permission. Now the number of nonconsensual deepfake porn videos is growing at an exponential rate, fueled by the advancement of AI technologies and an expanding deepfake ecosystem.

A new analysis of nonconsensual deepfake porn videos, conducted by an independent researcher and shared with WIRED, shows how pervasive the videos have become. At least 244,625 videos have been uploaded to the top 35 websites set up either exclusively or partially to host deepfake porn videos in the past seven years, according to the researcher, who requested anonymity to avoid being targeted online.

Over the first nine months of this year, 113,000 videos were uploaded to the websites—a 54 percent increase on the 73,000 videos uploaded in all of 2022. By the end of this year, the analysis forecasts, more videos will have been produced in 2023 than the total number of every other year combined.

These startling figures are just a snapshot of how colossal the issues with nonconsensual deepfakes has become—the full scale of the problem is much larger and encompasses other types of manipulated imagery. A whole industry of deepfake abuse, which predominantly targets women and is produced without people’s consent or knowledge, has emerged in recent years. Face-swapping apps that work on still images and apps where clothes can be “stripped off a person” in a photo with just a few clicks are also highly prominent. There are likely millions of images being created with these apps.

“This is something that targets everyday people, everyday high school students, everyday adults—it's become a daily occurrence,” says Sophie Maddocks, who conducts research on digital rights and cyber-sexual violence at the University of Pennsylvania. “It would make a lot of difference if we were able to make these technologies harder to access. It shouldn't take two seconds to potentially incite a sex crime.”

The new research highlights 35 different websites, which exist to exclusively host deepfake pornography videos or incorporate the videos alongside other adult material. (It does not encompass videos posted on social media, those shared privately, or manipulated photos.) WIRED is not naming or directly linking to the websites, so as not to further increase their visibility. The researcher scraped the websites to analyze the number and duration of deepfake videos, and they looked at how people find the websites using the analytics service SimilarWeb.

Many of the websites make it clear they host or spread deepfake porn videos—often featuring the word _deepfakes_ or derivatives of it in their name. The top two websites contain 44,000 videos each, while five others host more than 10,000 deepfake videos. Most of them have several thousand videos, while some only list a few hundred. Some videos the researcher analyzed have been watched millions of times.

The research also identified an additional 300 general pornography websites that incorporate nonconsensual deepfake pornography in some way. The researcher says “leak” websites and websites that exist to repost people’s social media pictures are also incorporating deepfake images. One website dealing in photographs claims it has “undressed” people in 350,000 photos.

Measuring the full scale of deepfake videos and images online is incredibly difficult. Tracking where the content is shared on social media is challenging, while abusive content is also shared in private messaging groups or closed channels, often by people known to the victims. In September, more than 20 girls aged 11 to 17 came forward in the Spanish town of Almendralejo after AI tools were used to generate naked photos of them without their knowledge.

“There has been significant growth in the availability of AI tools for creating deepfake nonconsensual pornographic imagery, and an increase in demand for this type of content on pornography platforms and illicit online networks,” says Asher Flynn, an associate professor at Monash University, Australia, who focuses on AI and technology-facilitated abuse. This is only likely to increase with new generative AI tools.

The gateway to many of the websites and tools to create deepfake videos or images is through search. Millions of people are directed to the websites analyzed by the researcher, with 50 to 80 percent of people finding their way to the websites via search. Finding deepfake videos through search is trivial and does not require a person to have any special knowledge about what to search for.

The issue is global. Using a VPN, the researcher tested Google searches in Canada, Germany, Japan, the US, Brazil, South Africa, and Australia. In all the tests, deepfake websites were prominently displayed in search results. Celebrities, streamers, and content creators are often targeted in the videos. Maddocks says the spread of deepfakes has become “endemic” and is what many researchers first feared when the first deepfake videos rose to prominence in December 2017.

Since the tools needed to create deepfake videos emerged, they’ve become easier to use, and the quality of the videos being produced has improved. The wave of image-generation tools also offers the potential for higher-quality abusive images and, eventually, video to be created. And five years after the first deepfakes started to appear, the first laws are just emerging that criminalize the sharing of faked images.

The proliferation of these deepfake apps combined with a greater reliance on digital communications in the Covid-19 era and a "failure of laws and policies to keep pace" has created a “perfect storm,” Flynn says.

Experts say that alongside new laws, better education about the technologies is needed, as well as measures to stop the spread of tools created to cause harm. This includes action by firms that host the websites and also search engines, including Google and Microsoft’s Bing. Currently, Digital Millennium Copyright Act (DMCA) complaints are the primary legal mechanism that women have to get videos removed from websites.

Henry Ajder, a deepfake and generative AI expert who has monitored the spread of the technologies, says adding more “friction” to the process of people finding deepfake porn videos, apps to change people’s faces, and tools that specifically allow the creation of nonconsensual images can reduce the spread. “It's about trying to make it as hard as possible for someone to find,” he says. This could be search engines down-ranking results for harmful websites or internet service providers blocking sites, he says. “It's hard to feel really optimistic, given the volume and scale of these operations, and the need for platforms—which historically have not taken these issues seriously—to suddenly do so,” Ajder says.

“Like any search engine, Google indexes content that exists on the web, but we actively design our ranking systems to avoid shocking people with unexpected harmful or explicit content they don't want to see,” says Google spokesperson Ned Adriance, pointing to its page on when it removes search results. Google’s support pages say it is possible for people to request that “involuntary fake pornography” be removed. Its removal form requires people to manually submit URLs and the search terms that were used to find the content. “As this space evolves, we're actively working to add more safeguards to help protect people, based on systems we've built for other types of nonconsensual explicit imagery,” Adriance says.

Courtney Gregoire, chief digital safety officer at Microsoft, says it does not allow deepfakes, and they can be reported through its web forms. “The distribution of nonconsensual intimate imagery (NCII) is a gross violation of personal privacy and dignity with devastating effects for victims,” Gregoire says. “Microsoft prohibits NCII on our platforms and services, including the soliciting of NCII or advocating for the production or redistribution of intimate imagery without a victim’s consent.”

While the number of videos and pictures continues to skyrocket, the impact on victims can be long-lasting. “Gender-based online harassment is having an enormous chilling effect on free speech for women,” Maddocks says. As reported by WIRED, female Twitch streamers targeted by deepfakes have detailed feeling violated, being exposed to more harassment, and losing time, and some said the nonconsensual content found its way to family members.

Flynn, the Monash University professor, says her research has found “high rates” of mental health concerns—such as anxiety, depression, self-injury, and suicide—as a result of digital abuse. “The potential impacts on a person’s mental and physical health, as well as impacts on their employment, family, and social lives can be immense,” Flynn says, “regardless of whether the image is deepfaked or ‘real.’”

Deepfake Porn Is Out of Control

Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.
"After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly

Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.

"After responsible investigation \*we have no evidence that suggests this vulnerability is real\* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly Twitter).

Signal said it also checked with the U.S. government and that it found no information to suggest "this is a valid claim." It's also urging those with legitimate information to send reports to security@signal\[.\]org.

The development comes as reports circulated over the weekend about a zero-day exploit in Signal that could be exploited to gain complete access to a targeted mobile device.

As a security precaution, it's been advised to turn off link previews in the app. The feature can be disabled by going to Signal Settings > Chats > Generate link previews.

The disclosure also arrives as TechCrunch revealed that zero-days for infiltrating messaging apps like WhatsApp are being sold for anywhere between $1.7 and $8 million.

Zero-day flaws in iMessage, Signal, and WhatsApp are lucrative for nation-state threat actors, as they can be used as entry points to achieve remote code execution on mobile devices and stealthily surveil targets of interest by means of one-click of zero-click exploit chains.

A recent report from Amnesty International found that spyware attacks have been attempted against journalists, politicians, and academics in the European Union, the U.S., and Asia with an ultimate aim to deploy Predator, which is developed by a consortium known as the Intellexa alliance.

"Between February and June 2023, social media platforms X (formerly Twitter) and Facebook were used to publicly target at least 50 accounts belonging to 27 individuals and 23 institutions," Amnesty International said, linking it to a customer with connections to Vietnam.

Central to the spread of infections included an anonymous account on X, a now-deleted handle named @Joseph\_Gordon16, that attempted to lure targets into clicking links that would install Predator malware. The Citizen Lab is tracking the threat actor under the name REPLYSPY.

"Predator spyware infections are managed via a web-based system which Intellexa terms the 'Cyber Operation Platform,'" the international non-governmental organization said in a technical deep dive of the Predator framework.

"Spyware operators can also use this interface to initiate attack attempts against a target phone, and if successful, to retrieve and access sensitive information including photos, location data, chat messages, and microphone recordings from the infected device."

Some of the other products offered by Intellexa comprise Mars, a network injection system installed at mobile operator ISPs that silently redirects any unencrypted HTTP request from a smartphone to a Predator infection server, and Jupiter, an add-on for the Mars system that enables injection into encrypted HTTPS traffic, but only works with domestic websites hosted by a local ISP.

A recent report from Haaretz also detailed how commercial surveillance vendors are looking to weaponize the digital advertising ecosystem to target and infect mobile devices globally using ad networks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence

Cross-Site Request Forgery (CSRF) vulnerability in SendPulse SendPulse Free Web Push plugin <= 1.3.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress SendPulse Free Web Push Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web