Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Twinpictures Column-Matic plugin <= 1.3.3 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Column-Matic Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32578: WordPress Column-Matic plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Kangu para WooCommerce plugin <= 2.2.9 versions.

**Solution**

 No fix

No patched version is available.

Jonas Höbenreich discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Kangu para WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32296: WordPress Kangu para WooCommerce plugin <= 2.2.9 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ImageRecycle ImageRecycle pdf & image compression plugin <= 3.1.11 versions.

**Solution**

 Fixed

Update the WordPress ImageRecycle pdf & image compression plugin to the latest available version (at least 3.1.12).

Found this useful? Thank thiennv for reporting this vulnerability. Buy a coffee ☕

thiennv discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress ImageRecycle pdf & image compression Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.1.12.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40196: WordPress ImageRecycle pdf & image compression plugin <= 3.1.11 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Pexle Chris Library Viewer plugin <= 2.0.6 versions.

**Solution**

 Fixed

Update the WordPress Library Viewer plugin to the latest available version (at least 2.0.6.1).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Library Viewer Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.0.6.1.

**Other vulnerabilities in this plugin**

 0 present

 2 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-32102: WordPress Library Viewer plugin <= 2.0.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Vathemes Business Pro theme <= 1.10.4 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Business Pro Theme. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-40214: WordPress Business Pro theme <= 1.10.4 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

By Habiba Rashid
Key Findings Cybersecurity researchers have warned of fake Signal and Telegram apps that have been distributed through the…
This is a post from HackRead.com Read the original post: Chinese APT Slid Fake Signal and Telegram Apps onto Official App Stores

**Key Findings**

*   Fake Signal and Telegram apps have been distributed through the Google Play Store and Samsung Galaxy Store.

*   The apps are designed to steal user data, including contact lists, call logs, and device information.

*   The apps were created by a Chinese APT known as GREF, while malicious code found in these apps is attributed to the BadBazaar malware.

*   The apps were initially targeted at users in China, but have since expanded to other countries.

*   If you have installed Signal Plus Messenger or FlyGram, you should remove them from your phone.

*   Before uninstalling the apps, make sure to unlink your Signal and Telegram accounts to prevent further data exposure.

Cybersecurity researchers have warned of fake Signal and Telegram apps that have been distributed through the Google Play Store and Samsung Galaxy Store. The apps, which are called Signal Plus Messenger and FlyGram, are designed to steal user data, including contact lists, call logs, and device information.

Signal Plus Messenger, a bogus version of the popular Signal app, managed to slip under the radar for nine months in the Google Play Store. It garnered over 100 downloads before Google finally removed it from the app storefront.

FlyGram, developed by the same threat actor, followed a similar trajectory but was removed in 2021. The Slovak cybersecurity firm ESET has identified these apps as malicious versions of Signal and Telegram, designed to deliver malware to unsuspecting users.

Fake Singnal and Telegram apps on Google Play Store and Samsung Galaxy Store (Image: ESET)

These fake apps were more than just imitations; they were sophisticated tools for cyber espionage. In a blog post, ESET researchers mentioned that the counterfeit Telegram app could harvest basic device information, sensitive data, Google accounts, and call logs. Additionally, it had a feature enabling it to back up data to a remote server controlled by the attacker.

The malicious Signal Plus app, on the other hand, could monitor both incoming and outgoing messages, transmitting them to a remote server for unauthorized access. To appear legitimate, dedicated websites were created for both apps, complete with links for direct installation from the Google Play Store.

The apps were created by a China-based hacking group known as GREF. GREF, also know as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon, was also pointed out in July 2020 over the China’s insidious surveillance against Uyghurs with Android malware

Back in March 2018, these same threat actors were also found targeting a UK Government Contractor to steal military technology secrets. GREF is know the BadBazaar malware and in this campaign, the malicious code found in these apps is also attributed to the BadBazaar malware.

This should not be surprising, as another Chinese APT group, Smishing Triad, was recently reported to be carrying out a large-scale smishing campaign against users in the United States. This attack involved impersonating leading mail and delivery services.

Initially, users in China were the primary targets of these fake apps. However, the threat has since expanded to include users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States. 

If you’ve unwittingly installed Signal Plus Messenger or FlyGram, removing them from your phone is crucial. However, exercise caution when doing so. Before uninstalling these apps, make sure to unlink your Signal and Telegram accounts to prevent further data exposure. Google has labeled these apps as malicious and capable of stealing personal information.

**Some quick tips for staying safe from fake apps**

*   Only download apps from official app stores, such as the Google Play Store and the Apple App Store.
*   Be wary of apps that ask for more permissions than they need.
*   Read the reviews of an app before you download it.
*   Keep your apps updated.
*   Regularly scan your device for malware using a security app.

1.  Phishers Now Actively Automating Scams with Telegram
2.  Telegram and Discord Bots Delivering Infostealing Malware
3.  New MMRat Android Trojan Uses Fake App Stores for Bank Fraud
4.  Researcher Identifies Popular Swing VPN Android App as DDoS Botnet

Chinese APT Slid Fake Signal and Telegram Apps onto Official App Stores

There’s been a great deal of AI hype recently, but that doesn’t mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI.
From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally,

_There's been a great deal of AI hype recently, but that doesn't mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI._

From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally, our nightmares. However, the reality is that AI is currently much less advanced than we anticipated it would be by now. Autonomous cars, for example, often considered the poster child of AI's limitless future, represent a narrow use case and are not yet a common application across all transportation sectors.

In this article, we de-hype AI, provide tools for businesses approaching AI and share information to help stakeholders educate themselves.

**AI Terminology De-Hyped****AI vs. ML**

AI (Artificial Intelligence) and ML (Machine Learning) are terms that are often used interchangeably, but they represent different concepts. AI aims to create intelligence, which means cognitive abilities and the capacity to pass the Turing test. It works by taking what it has learned and elevating it to the next level. The goal of using AI is to replicate human actions, such as creating a cleaning robot that operates in a manner similar to a human cleaner.

ML is a subset of AI. It comprises mathematical models and its abilities are based on combining machines with data. ML works by learning lessons from events and then prioritizing those lessons. As a result, ML can perform actions that humans cannot, like going over vast reams of data, figuring out patterns, predicting probabilities, and more.

**Narrow vs. General AI**

The concept of General AI is the one that often scares most people, since it's the epitome of our "robot overlords" replacing human beings. However, while this idea is technically possible, we are not at that stage right now.

Unlike General AI, Narrow AI is a specialized form of AI that is tuned for very specific tasks. This focus allows supporting humans, relieving us from work that is too demanding or potentially harmful. It is not intended to replace us. Narrow AI is already being applied across industries, like for building cars or packaging boxes. In cybersecurity, Narrow AI can analyze activity data and logs, searching for anomalies or signs of an attack.

**AI and ML in the Wild**

There are three common models of AI and ML in the wild: generative AI, supervised ML and unsupervised ML.

**Generative AI**

Generative AI is a cutting-edge field in AI, characterized by models, like LLMs, that are trained on a corpus of knowledge. The generative AI technology has the ability to generate new content based on the information contained within that corpus. Generative AI has been described as a form of "autocorrect" or "type ahead," but on steroids. Examples of Generative AI applications include ChatGPT, Bing, Bard, Dall-E, and specialized cyber assistants, like IBM Security QRadar Advisor with Watson or MSFT Security CoPilot.

Generative AI is best suited for use cases like brainstorming, assisted copyediting and conducting research against a trusted corpus. **Cybersecurity professionals**, like SOC and fusion teams, can leverage Generative AI for research, to help them understand zero-day vulnerabilities, network topologies, or new indicators of compromise (IoC). It's important to recognize that Generative AI sometimes produces "hallucinations", i.e. wrong answers.

Cyber Security Master Class: Episode 13

Everything You Wanted To Know About AI Security But Were Afraid To Ask

In this session, we will go beyond the hype and find out if and how AI impacts your cybersecurity strategy.

Watch Now

According to Etay Maor, Senior Director Security Strategy at **Cato Networks**, "Generative AI can also help criminals. For example, they can use it to write phishing emails. Before ChatGPT, one of the basic detections of phishing emails was spelling mistakes and bad grammar. Those were indicators that something was suspicious. Now, criminals can easily write a phishing email in multiple languages in perfect grammar."

**Unsupervised Learning**

Unsupervised learning in ML means that the training data and the outcomes are not labeled. This approach allows algorithms to make inferences from data without human intervention, to find patterns, clusters and connections. Unsupervised learning is commonly used for dynamic recommendations, like in retail websites.

In cybersecurity, unsupervised learning can be used for clustering or grouping and for finding patterns that weren't apparent before, for example it can help identify all malware with a certain signature originating from a specific nation-state. It can also find associations and links between data sets. For example, determining if people who click on phishing emails are more likely to reuse passwords. Another use case is anomaly detection, like detecting activity that might indicate an attacker is using stolen credentials.

Unsupervised learning is not always the right choice. When getting the output wrong has a very high impact and severe consequences, when short training times are needed, or when full transparency is required, it's recommended to take a different approach.

**Supervised Learning**

In supervised learning, the training data is labeled with input/output pairs, and the model's accuracy depends on the quality of labeling and dataset completeness. Human intervention is often required to review the output, improve accuracy,and correct any bias drift. Supervised learning is best suited for making predictions.

In cybersecurity, supervised learning is used for classification, which can help identify phishing and malware. It can also be used for regression, like predicting the cost of a novel attack based on past incident costs.

Supervised learning is not the best fit if there's no time to train or no one to label or train the data. It's also not recommended when there is a need to analyze large amounts of data, when there is not enough data, or when automated classification/clustering is the end goal.

**Reinforcement Learning (RL)**

Reinforcement Learning (RL) occupies a space between fully supervised and unsupervised learning and is a unique approach to ML. It means retraining a model when existing training fails to anticipate certain use cases. Even deep learning, with its access to large datasets, can still miss outlier use cases that RL can address. The very existence of RL is an implicit admission that models can be flawed.

**What Cybercriminals are Saying About Generative AI**

Generative AI is of interest to cyber criminals. According to Etay Maor "Cyber criminals have been talking about how to use ChatGPT, Bard and other GenAI applications from the day they were introduced, as well as sharing their experience and thoughts about their capabilities. As it seems, they believe that GenAI has limitations and will probably be more mature for attacker use in a few years."

Some conversation examples include:

**The Artificial Intelligence Risk Management Framework (AI RMF) by NIST**

When engaging with AI and AI-based solutions, it's important to understand AI's limitations, risks and vulnerabilities. The Artificial Intelligence Risk Management Framework (AI RMF) by NIST is a set of guidelines and best practices designed to help organizations identify, assess and manage the risks associated with the deployment and use of artificial intelligence technologies.

The framework consists of six elements:

1.  **Valid and Reliable** \- AI can provide the wrong information, which is also known in GenAI as "hallucinations". It's important that companies can validate the AI they're adopting is accurate and reliable.
2.  **Safe** - Ensuring that the prompted information isn't shared with other users, like in the infamous Samsung case.
3.  **Secure and Resilient** - Attackers are using AI for cyber attacks. Organizations should ensure the AI system is protected and safe from attacks and can successfully thwart attempts to exploit it or use it for assisting with attacks.
4.  **Accountable and Transparent** - It's important to be able to explain the AI supply chain and to ensure there is an open conversation about how it works. AI is not magic.
5.  **Privacy-enhanced** - Ensuring the prompted information is protected and anonymized in the data lake and when used.
6.  **Fair** - This is one of the most important elements. It means managing harmful bias. For example, there is often bias in AI facial recognition, with light-skinned males being more accurately identified compared to women and darker skin colors. When using AI for law enforcement, for example, this could have severe implications.

Additional resources for managing AI risk include the MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), OWASP Top 10 for ML and Google's Secure AI Framework (SAIF).

**Questions to Ask Your Vendor**

In the near future, it will be very common for vendors to offer generative AI capabilities. Here is a list of questions to ask to support your educated choice.

****1\. What and Why?****

What are the AI capabilities and why are they needed? For example, GenAI is very good at writing emails, so GenAI makes sense for an email system. What's the use case for the vendor?

****2\. Training data****

Training data needs to be properly and accurately managed, otherwise it can create bias. It's important to ask about the types of training data, how it has been cleaned, how it is managed, etc.

****3\. Was resilience built-in?****

Has the vendor taken into consideration that cybercriminals are attacking the system itself and implemented security controls?

****4\. Real ROI vs. Claims****

What is the ROI and does the ROI justify implementing AI or ML (or were they added because of the hype and for sales purposes)?

****5\. Is it Really Solving a Problem?****

The most important question - is the AI solving your problem and is it doing it well? There's no point in paying a premium and incurring extra overhead unless the AI is solving the problem and working the way it should.

AI can empower us and help us perform better, but it is not a silver bullet. That's why it's important for businesses to make educated decisions about tools with AI they choose to implement internally.

To learn more about AI and ML use cases, risks, applications, vulnerabilities and implications for security experts, **watch the entire masterclass here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Everything You Wanted to Know About AI Security but Were Afraid to Ask

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ???(std.Cloud) WxSync plugin <= 2.7.23 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WxSync Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39988: WordPress WxSync plugin <= 2.7.23 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay Lulia wSecure Lite plugin <= 2.5 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress wSecure Lite Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-39987: WordPress wSecure Lite plugin <= 2.5 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany – Protected Shops plugin <= 2.0 versions.

**Solution**

 Fixed

Update the WordPress wpShopGermany – Protected Shops plugin to the latest available version (at least 2.1).

DoYeon Park (p6rkdoye0n) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress wpShopGermany – Protected Shops Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.1.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#web