Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud ChatBot ? plugin <= 4.2.8 versions.

**Solution**

Update the WordPress ChatBot plugin to the latest available version (at least 4.2.9).

Rafshanzani Suhada discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress ChatBot Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 4.2.9.

**1 other known vulnerability for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24415: WordPress ChatBot plugin <= 4.2.8 - Cross Site Request Forgery (CSRF) - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in MainWP Matomo Extension <= 4.0.4 versions.

**Solution**

Update the WordPress MainWP Matomo Extension plugin to the latest available version (at least 4.0.5).

Dave Jong (Patchstack) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress MainWP Matomo Extension Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 4.0.5.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23659: WordPress MainWP Matomo Extension Plugin <= 4.0.4 - CSRF Leading To Plugin Settings Change Vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions.

**Solution**

Update the WordPress Organization chart plugin to the latest available version (at least 1.4.5).

yuyudhn discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Organization chart Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 1.4.5.

**2 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-24384: WordPress WpDevArt Organization Chart plugin <= 1.4.4 - Cross Site Request Forgery (CSRF) - Patchstack

In what's a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links.
"The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another," Checkmarx researcher Yehuda Gelb said in a Tuesday report.
"The attackers referred to retail

Open Source / Supply Chain Attack

In what's a continuing assault on the open source ecosystem, over 15,000 spam packages have flooded the npm repository in an attempt to distribute phishing links.

"The packages were created using automated processes, with project descriptions and auto-generated names that closely resembled one another," Checkmarx researcher Yehuda Gelb said in a Tuesday report.

"The attackers referred to retail websites using referral IDs, thus profiting from the referral rewards they earned."

The modus operandi involves poisoning the registry with rogue packages that include links to phishing campaigns in their README.md files, evocative of a similar campaign the software supply chain security firm exposed in December 2022.

The fake modules masqueraded as cheats and free resources, with some packages named as "free-tiktok-followers," "free-xbox-codes," and "instagram-followers-free."

The ultimate goal of the operation is to entice users into downloading the packages and clicking on the links to the phishing sites with bogus promises of increased followers on social media platforms.

"The deceptive web pages are well-designed and, in some cases, even include fake interactive chats that appear to show users receiving the game cheats or followers they were promised," Gelb explained.

The websites urge victims to fill out surveys, which then pave the way for additional surveys or, alternatively, redirect them to legitimate e-commerce portals like AliExpress.

The packages are said to have been uploaded to npm from multiple user accounts within hours between February 20 and 21, 2023, using a Python script that automates the whole process.

What's more, the Python script is also engineered to append links to the published npm packages on WordPress websites operated by the threat actor that claim to offer Family Island cheats.

This is achieved by using the selenium Python package to interact with the websites and make the necessary modifications.

In all, the use of automation allowed the adversary to publish a large number of packages in a short span of time, not to mention create several user accounts to conceal the scale of the attack.

"This shows the sophistication and determination of these attackers, who were willing to invest significant resources in order to carry out this campaign," Gelb said.

The findings once again demonstrate the challenges in securing the software supply chain, as threat actors continue to adapt with "new and unexpected techniques."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Attackers Flood NPM Repository with Over 15,000 Spam Packages Containing Phishing Links

The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

1<?php2global $woocommerce;3$tab \= wc\_clean($\_GET\['tab'\]);4if(isset($tab)){5        $section \= 'jp4wc\_'.$tab;6}else{7        $section \= 'jp4wc\_setting';8        $tab \= 'setting';9}10$title \= array(11        'setting' \=> \_\_( 'General Setting', 'woocommerce-for-japan' ),12        'shipment' \=> \_\_( 'Shipment Setting', 'woocommerce-for-japan' ),13        'payment' \=> \_\_( 'Payment Setting', 'woocommerce-for-japan' ),14        'law' \=> \_\_( 'Notation based on Specified Commercial Transaction Law', 'woocommerce-for-japan' ),15        'affiliate' \=> \_\_( 'Affiliate Setting', 'woocommerce-for-japan' ),16);17$title \= apply\_filters( 'wc4jp\_admin\_setting\_title', $title );18if(!isset($title\[$tab\]))$title\[$tab\]\=\_\_('The URL for this page is incorrect.', 'woocommerce-for-japan');19?>20<div class="wrap">21    <h2><?php echo $title\[$tab\];?></h2>22    <div class="jp4wc-settings metabox-holder">23        <div class="jp4wc-sidebar">24            <div class="jp4wc-credits">25                <h3 class="hndle"><?php echo \_\_( 'Japanized for WooCommerce', 'woocommerce-for-japan' ) . ' ' . JP4WC\_VERSION;?></h3>26                <div class="inside">27                                        <?php $this\->jp4wc\_plugin\->jp4wc\_pro\_notice('https://wc4jp-pro.work/');?>28                    <hr />29                                        <?php $this\->jp4wc\_plugin\->jp4wc\_update\_notice();?>30                    <hr />31                                        <?php $this\->jp4wc\_plugin\->jp4wc\_community\_info();?>32                                        <?php if ( ! get\_option( 'wc4jp\_admin\_footer\_text\_rated' ) ) :?>33                        <hr />34                        <h4 class\="inner"\><?php echo \_\_( 'Do you like this plugin?', 'woocommerce-for-japan' );?></h4>35                        <p class="inner"><a href="https://wordpress.org/support/plugin/woocommerce-for-japan/reviews/#postform" target="\_blank" title="' . \_\_( 'Rate it 5', 'woocommerce-for-japan' ) . '"><?php echo \_\_( 'Rate it 5', 'woocommerce-for-japan' )?> </a><?php echo \_\_( 'on WordPress.org', 'woocommerce-for-japan' ); ?><br />36                        </p>37                                        <?php endif;?>38                    <hr />39                                        <?php $this\->jp4wc\_plugin\->jp4wc\_author\_info(JP4WC\_URL\_PATH);?>40                </div>41            </div>42        </div>43        <form id="jp4wc-setting-form" method="post" action="">44            <div id="main-sortables" class="meta-box-sortables ui-sortable">45                                <?php46                                //Display Setting Screen47                                settings\_fields( $section );48                                $this\->jp4wc\_plugin\->do\_settings\_sections( $section );49                                ?>50                <p class="submit">51                                        <?php52                                        submit\_button( '', 'primary', 'save\_'.$section, false );53                                        ?>54                </p>55            </div>56        </form>57        <div class="clear"></div>58    </div>59    <script type="text/javascript">60        //<!\[CDATA\[61        jQuery(document).ready( function ($) {62            // close postboxes that should be closed63            $('if-js-closed').removeClass('if-js-closed').addClass('closed');64            // postboxes setup65            postboxes.add\_postbox\_toggles('<?php echo $section; ?>');66        });67        //\]\]>68    </script>69</div>

CVE-2023-0942: html-admin-setting-screen.php in woocommerce-for-japan/trunk/includes/admin/views – WordPress Plugin Repository

Categories: Threat Intelligence
Magecart threat actors continue to go after e-commerce sites while also collecting data points from fake customers.



(Read more...)




The post Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API appeared first on Malwarebytes Labs.

One important aspect of data theft in criminal markets revolves around the authenticity of the data that is being resold. There are different services that exist to vet such things as credit card numbers so that buyers can purchase with confidence.

Criminals are also very aware that anyone and in particular security researchers may want to interfere with their operations. Filling up phishing pages with junk data is a sport of its own, although it may also be counterproductive at times. Using special cards for tracing purposes can also be used by defenders to follow the money.

We recently spotted a Magecart skimmer that collects the current victim's IP address and browser user-agent in addition to their email, address, phone number and credit card data. Because the victim already filled in their home address, we believe this is a fingerprinting effort much like what is done in traditional malware campaigns.

**Skimmer targets various geolocations**

The skimmer uses iframes that are loaded if the current page is the checkout and if the browser's local storage does not include a font item (this is equivalent to using cookies to detect returning visitors).

_Figure 1: Skimmer checking for address bar and inserting iframe_

The final rendering is identical to official payment platforms and does not give anything away:

_Figure 2: Fake payment forms injected by skimmer_

**Fingerprinting via Cloudflare API**

The underlying code will scrape everything from the customer's contact and payment forms. This is something that is often overlooked when talking about digital skimmers but yet is extremely important. While financial institutions can reissue you a new card in the mail, the information the criminals have collected is equivalent to a data breach and can be reused for other types of fraud later on.

_Figure 3: Skimmer data collection and fingerprinting_

One thing we noticed that was a little unusual, is code that queries the legitimate Cloudflare endpoint API and parses out the results specifically for two things: the user's current IP address and browser's user-agent. A user-agent string might look something like this:

_Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36_

From this you can determine the user is running Windows 10 (64 bit version) with Chrome version 110.

_Figure 4: Stolen data including IP address and user-agent string_

It's worth noting that this is done _**after**_ credit card data has already been collected and not before. It is quite common to check the user-agent string upon visiting a web page to determine whether a particular victim fits the target profile or to adapt the content to a mobile or desktop experience.

Since the skimmer already grabbed the shopper's city, postal code and country it's unlikely that the IP address would be of much use beyond that. We believe the threat actors are likely collecting IP addresses and user-agent strings for quality checks and monitoring invalid users such as bots and security researchers.

**Conclusion**

We observe a number credit card skimmers targeting e-commerce platforms such as Magento and WordPress/WooCommerce. Online merchants need to be aware of this threat and take appropriate measures to not only be compliant but also to make it much harder to be compromised in the first place. Since we mentioned Cloudflare in this post, it's worth noting that the company provides a service to businesses called Page Shield, that helps keep visitors safe through malicious third-party libraries.

We continue to track and report skimming infrastructure in order to protect our users via our Malwarebytes for consumers and businesses, as well as our Browser Guard extension.

**Indicators of Compromise**

gtag-analytics\[.\]com

gtag-analytics\[.\]com/analytics/15798/script.js?key=  
gtag-analytics\[.\]com/analytics/18452/script.js?key=  
gtag-analytics\[.\]com/analytics/25198/script.js?key=  
gtag-analytics\[.\]com/analytics/31826/script.js?key=  
gtag-analytics\[.\]com/analytics/32444/script.js?key=  
gtag-analytics\[.\]com/analytics/34515/script.js?key=  
gtag-analytics\[.\]com/analytics/65526/script.js?key=

gogletags\[.\]click

Multilingual skimmer fingerprints 'secret shoppers' via Cloudflare endpoint API

The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.

CVE-2020-36656

The WP Private Message WordPress plugin (bundled with the Superio theme as a required plugin) before 1.0.6 does not ensure that private messages to be accessed belong to the user making the requests. This allowing any authenticated users to access private messages belonging to other users by tampering the ID.

Superio – Job Board WordPress theme is a complete Job Board WordPress theme that allows you to create a useful and easy to use job listings website. Using Superio theme, you can create a complete & fully Responsive job portal, career platform to run human resource management, recruitment or job posting website. Superio is not just a job board theme, it’s the best WordPress job portal template choice for anyone who wants a simple job script that makes money.

**Features**

*   Fields Manager
*   Indeed Jobs Import
*   Career builder Jobs Import
*   Careerjet Jobs Import
*   Ziprecruiter Jobs Import
*   **Restrict Job**  
    **\- View job page:**
    *   All (Users, Guests)
    *   All Register Users
    *   Register Candidates (All registered candidates can view jobs.)
    *   Always Hidden
*   **Restrict Candidate**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   Register Employers with package (Registered employers who purchased CV Package can view candidates.)
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Employer can view only their own applicants candidates.)
    *   Register Employers (All registered employers can view candidates.)
    *   All users can view candidate, but only employers with package can see contact info (Users who purchased Contact Package can see contact info.)
*   **Restrict Employer**  
    **\- View candidate page:**
    
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
    
    **\- View candidate contact info:**
    *   All (Users, Guests)
    *   All Register Users
    *   Only Applicants (Candidate can view only their own applicants employers.)
    *   Register Candidates (All registered candidates can view employers.)
    *   Always Hidden
*   Add a job in frontend
*   Highly Customizable
*   Extensive Admin Interface
*   One click Demo Import
*   No coding knowledge required
*   Page Templates
*   Responsive & Retina Ready
*   Large collection of useful inner pages
*   Choose your grid size
*   Boxed layout option
*   Powerful typography options
*   Translation ready
*   WooCommerce compatible
*   Powerful sorting options for job listings and resumes
*   Multiple ways of showcasing job listings and resumes
*   Listing List shortcode
*   Listing Search shortcode
*   Listing Advanced Search shortcode
*   Listing Simple Search shortcode
*   Resume List shortcode
*   Resume Advanced Search shortcode
*   User login
*   User Dashboard page template
*   Facebook, Google, Twitter, LinkedIn login
*   Facebook, Google, Twitter, LinkedIn apply job
*   Pricing Tables shortcode
*   Comparison Pricing Tables shortcode
*   Smooth Page Transitions
*   Fontawsome & Flaticon
*   User Login Form
*   User Notification
*   Meeting Zoom
*   Here maps
*   Google maps
*   Mapbox maps

**Updates History:**

**Version 1.2.37 – 13 February 2023**

\* Updated preview job
\* Updated apply job
\* Updated reviews
\* Fixed datepicker in register form

**Version 1.2.36 – 07 January 2023**

\* Updated WooCommerce
\* Updated upload file
\* Update apply job
\* Updated RSS job

**Version 1.2.35 – 19 December 2022**

\* Updated WooCommerce
\* Updated Download CV
\* Updated Filter
\* Updated PHP warning

**Version 1.2.34 – 29 November 2022**

\* Updated job apply
\* Fixed error application when deleting candidate, job

**Version 1.2.33 – 11 November 2022**

\* Fixed apply for a job

**Version 1.2.32 – 07 November 2022**

\* Updated WooCommerce
\* Updated meeting form
\* Updated register form
\* Updated message in email template
\* Added notifications in header mobile
\* Fixed scheduled meeting

**Version 1.2.31 – 19 October 2022**

\* Update candidate filter tag
\* Update filter custom date field
\* Updated experience field
\* Updated cancel package
\* Updated private message

**Version 1.2.30 – 20 September 2022**

\* Updated WooCommerce
\* Updated candidate tag default

**Version 1.2.29 – 13 September 2022**

\* Updated packages
\* Updated upload file

**Version 1.2.28 – 25 August 2022**

\* Updated theme style
\* Updated calendar
\* Updated Notification
\* Updated currency

**Version 1.2.27 – 04 August 2022**

\* Updated email template
\* Updated Fields Manager

**Version 1.2.26 – 26 July 2022**

\* Updated pricing page
\* Updated application deadline
\* Updated thanks email content

**Version 1.2.25 – 20 July 2022**

\* Updated required custom field
\* Updated google job structure data
\* Updated application deadline

**Version 1.2.24 – 11 July 2022**

\* Updated job RSS feed
\* Added thanks email after applied job
\* Updated notification
\* Updated elementor element
\* Updated restrict candidate contact form

**Version 1.2.23 – 28 June 2022**

\* Updated shortlist candidate name
\* Fixed remove emloyee

**Version 1.2.22 – 13 June 2022**

\* Updated related jobs
\* Updated job map logo
\* Added telegram, discord social network

**Version 1.2.21 – 04 June 2022**

\* Updated multiple select field
\* Updated Apus Posts element
\* Updated register password
\* Updated plugin settings

**Version 1.2.20 – 18 May 2022**

\* Updated Theme Font
\* Updated widgets
\* Updated employer url
\* Updated socials link
\* Updated user description

**Version 1.2.19 – 09 May 2022**

\* Fixed Login user
\* Updated meeting zoom email varibales

**Version 1.2.18 – 04 May 2022**

\* Updated filter custom fields multiple select
\* Updated datepicker
\* Updated meeting date
\* Added restrict Employer, Candidate fields
\* Updated register form

**Version 1.2.17 – 03 May 2022**

\* Fixed employer url

**Version 1.2.16 – 29 April 2022**

\* Updated breadcrumbs url
\* Added filled label
\* Improved Apus Team element
\* Fixed create meetings in Approved tab

**Version 1.2.15 – 27 April 2022**

\* Updated date format
\* Updated filter custom field
\* Added option for Job Slug, Employer slug, Candidate slug
\* Update import employer, candidate
\* Added recapthcha login
\* Add hidden Job title, Candidate title, Employer title
\* Updated show/hide password in login/change password form
\* Updated location display

**Version 1.2.14 – 21 April 2022**

\* Updated employer job count
\* Updated employer url
\* Updated cache taxonomy
\* Updated date format
\* Updated invite email variables
\* Updated register password
\* Updated send email contact subject
\* Fixed upload file
\* Fixed upload cv apply

**Version 1.2.13 – 04 April 2022**

\* Updated theme style
\* Updated mobile menu label
\* Updated register candidate, register employer
\* Updated RSS feed
\* Updated submit job package

**Version 1.2.12 – 24 March 2022**

\* Updated Elementor
\* Updated Application Dealine

**Version 1.2.11 – 22 March 2022**

\* Updated WooCommerce login/register
\* Added Job Expired, Candidate Expired page
\* Updated shortlist job
\* Updated shortlist candidate
\* Updated candidate filter form
\* Updated employer filter form

**Version 1.2.10 – 10 March 2022**

\* Fixed Employer dashboard
\* Fixed jobs applications

**Version 1.2.9 – 03 March 2022**

\* Updated related Job
\* Updated Related Candidate
\* Updated Register Employer, Candidate
\* Updated apply without login

**Version 1.2.8 – 24 February 2022**

\* Updated jobs category
\* Updated Logout User
\* Updated import employer, candidate

**Version 1.2.7 – 10 February 2022**

\* Update footer menu style
\* Update language

**Version 1.2.6 – 20 January 2022**

\* Updated Jobs page url, Candidates page url, Employer page url
\* Updated candidate download his resume
\* Updated meetings message
\* Fixed filter taxonomy page

**Version 1.2.5 – 17 January 2022**

\* Add Register Tabs
\* Fixed create Employee
\* Fixed invite candidate

**Version 1.2.4 – 12 January 2022**

\* Updated Resume builder
\* Fixed invite candidate apply job

**Version 1.2.3 – 11 January 2022**

\* Fixed PHP error
\* Updated Invited Candidate
\* Added Autocomplete search

**Version 1.2.2 – 05 January 2022**

\* Updated logo thumbnail
\* Updated multiple languages
\* Updated Rest API

**Version 1.2.1 – 20 December 2021**

\* Updated Apus Posts element
\* Updated filter button
\* Updated taxonomy select2
\* Updated candidate profile
\* Updated job alert
\* Updated candidate alert

**Version 1.2.0 – 07 December 2021**

\* Added more 7 Home pages
\* Added Phone field for Job
\* Added select search taxonomy
\* Added Invite Candidate Apply Job
\* Add multi currencies
\* Updated recaptcha
\* Updated breadcrumbs
\* Improved filled job

**Version 1.1.16 – 16 November 2021**

\* Added Call to Apply
\* Updated Employer Dashboard
\* Fixed candidate category banner
\* Fixed user packages

**Version 1.1.15 – 05 November 2021**

\* Fixed WPML
\* Updated Google Struct Data
\* Updated Job Alert, Candidate Alert

**Version 1.1.14 – 15 October 2021**

\* Updated apply CV
\* Updated contact email
\* Updated WPML
\* Updated salary filter

**Version 1.1.13 – 15 October 2021**

\* Updated megamenu fullwidth
\* Updated My Jobs page
\* Updated Job EMployer Info
\* Add option enable/disable Upload CV in Apply form
\* Fixed Resume PDF
\* Updated salary slider
\* Add show/hide Employer profile
\* Update upload filte types

**Version 1.1.12 – 29 September 2021**

\* Updated experience date
\* Updated packages sort
\* Updated social login
\* Updated submit job slug
\* Improved salary display
\* Improved job filled

**Version 1.1.11 – 16 September 2021**

\* Fixed Employee user
\* Fixed job applications
\* Fixed restrict candidates
\* Updated filter job, employer, candidate
\* Updated candidate salary
\* Updated resume creation pdf
\* Updated user password
\* Updated Employer categories
\* Updated header mobile options

**Version 1.1.10 – 09 September 2021**

\* Fixed private message
\* Fixed load more jobs, candidates, employers
\* Fixed maps
\* Fix price currency
\* Fixed job alert
\* Fixed register form
\* Updated user short profile
\* Updated locations
\* Updated candidate shortlist
\* Updated custom fields
\* Updated translate

**Version 1.1.9 – 24 August 2021**

\* Updated Pagination Load More
\* Updated Apply Types Field
\* Added option to change background color for Urgent, Featured items

**Version 1.1.8 – 23 August 2021**

\* Updated region field
\* Updated upload file
\* Fixed price currency
\* Updated breadcrumbs
\* Updated locations
\* Updated pagination

**Version 1.1.7 – 12 August 2021**

\* Updated Employer dashboard
\* Updated filter jobs, candidates, employers
\* Added show full phone
\* Added options show header desktop in mobile

**Version 1.1.6 – 05 August 2021**

\* Added Notifications for Employer, Candidate Dashboard
\* Updated string translate
\* Updated Restrict Candidate, Employer 
\* Updated region orderby

**Version 1.1.5 – 30 July 2021**

\* Fixed User packages
\* Added tags field for Candidate
\* Updated Candidate single page
\* Updated settings page

**Version 1.1.4 – 22 July 2021**

\* Added job logo field

**Version 1.1.3 – 20 July 2021**

\* Added Apply job without login
\* Added Required Label
\* Updated upload file

**Version 1.1.2 – 13 July 2021**

\* Updated pricing packages
\* Updated my jobs page
\* Updated job applied status
\* Updated candidate dashboard
\* Updated header mobile

**Version 1.1.1 – 08 July 2021**

\* Updated User Profile
\* Updated package
\* Updated Register form
\* Updated Employer dashboard chart

**Version 1.1.0 – 01 July 2021**

\* Added Meeting Zoom
\* Added Notification
\* Added register from settings
\* Added Here Maps
\* Fixed private message
\* Update filter form

**Version 1.0.13 – 16 June 2021**

\* Added show job field by package
\* Added show more button for taxonomy checklist, radio
\* Fixed CV file url
\* Fixed candidate dashboard
\* Updated theme style

**Version 1.0.12 – 15 June 2021**

\* Added dashboard chart
\* Updated filter
\* Updated login/register form
\* Updated font icon for custom field
\* Fixed number item per page
\* Improved style for no breadcrumbs

**Version 1.0.11 – 11 June 2021**

\* Updated Job, Candidate, Employer video
\* Updated Jobs, employers, candidates page with no breadcrumbs

**Version 1.0.10 – 10 June 2021**

\* Update select2 javascript

**Version 1.0.9 – 08 June 2021**

\* Update theme style
\* Fixed job maps in job preview

**Version 1.0.8 – 05 June 2021**

\* Update job application

**Version 1.0.7 – 29 May 2021**

\* Update responsive
\* Updated search jobs form
\* Updated job email apply

**Version 1.0.6 – 27 May 2021**

\* Update fields
\* Updated filter job
\* Fixed submit job

**Version 1.0.5 – 25 May 2021**

\* Updated theme style
\* Updated custom field display
\* Updated apply job
\* Fixed edit job

**Version 1.0.4 – 25 May 2021**

\* Updated theme style
\* Updated theme options
\* Improve fields manager

**Version 1.0.3 – 24 May 2021**

\* Updated register user
\* Update email template

**Version 1.0.2 – 22 May 2021**

\* Updated Import Demo Data

**Version 1.0.1 – 21 May 2021**

\* Updated Import Demo Data
\* Updated theme style

**Version 1.0.0 – 20 May 2021**

\* First release

CVE-2023-0453: Superio – Job Board WordPress Theme

The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL.

CVE-2023-0442

The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Tag

#wordpress