Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

WordPress Profilepro 1.3 Cross Site Scripting

WordPress Profilepro plugin versions 1.3 and below suffer from a persistent cross site scripting vulnerability.

Packet Storm
Open in Source
#xss#vulnerability#wordpress#php#auth#firefox
WordPress Light Poll 1.0.0 Cross Site Request Forgery

WordPress Light Poll plugin versions 1.0.0 and below suffer from multiple cross site request forgery vulnerabilities.

WordPress PVN Auth Popup 1.0.0 Cross Site Scripting

WordPress PVN Auth Popup plugin version 1.0.0 suffers from a persistent cross site scripting vulnerability.

WordPress PayPlus Payment Gateway SQL Injection

WordPress PayPlus Payment Gateway plugin versions prior to 6.6.9 suffer from a remote SQL injection vulnerability.

'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year. The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the

'Konfety' Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins

Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities. The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds. "Konfety represents a new form of

Disney “breached”, data dumped online

Hacktivists claim they have stolen 1.2 TB of data from Disney's developer Slack channels.

GHSA-x6p7-44rh-m3rr: Login by Auth0 plugin for WordPress vulnerable to Reflected Cross-Site Scripting

### Impact The Auth0 WordPress plugin allows site administrators to opt-in to allowing the use of a `wle` parameter, which can be passed to the WordPress login page by end users. When this parameter is supplied using an expected value (which is randomly generated by the plugin, by default), the end user can fallback to using WordPress' native authentication behavior. (This is generally intended as an emergency fallback for administrators to still be able to access their dashboard in the event something goes wrong.) In previous versions of the plugin, under specific conditions, this parameter could potentially accept an arbitrary string that would be improperly rendered, potentially allowing for a cross-site scripting (XSS) attack on the login page. ### Patches Please upgrade to v4.6.1 of the plugin to resolve the issue.

WordPress Poll Maker 5.3.2 SQL Injection

WordPress Poll Maker plugin version 5.3.2 suffers from a remote SQL injection vulnerability.