Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

Transposh WordPress Translation 1.0.7 Cross Site Scripting

Transposh WordPress Translation versions 1.0.7 and below have an ajax action "tp_tp" that is vulnerable to an unauthenticated/authenticated reflected cross site scripting vulnerability when user-supplied input to the HTTP GET parameter "q" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to place arbitrary script code onto the same page.

Packet Storm
Open in Source
#xss#vulnerability#web#git#java#wordpress#php#perl#acer#auth
WordPress WP-UserOnline 2.87.6 Cross Site Scripting

WordPress WP-UserOnline plugin versions 2.87.6 and below suffer from a persistent cross site scripting vulnerability.

CVE-2022-29360: RainLoop Webmail - Emails at Risk due to Code Flaw

The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message.

CVE-2016-0796: WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files Multiple Vulnerabilities (1.7.6) - Vulnerabilities

WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected.

APT-Like Phishing Threat Mirrors Landing Pages

By dynamically mirroring an organization’s login page, threat actors are propagating legitimate-looking phishing attacks that encourage victims to offer up access to the corporate crown jewels.

CVE-2022-35882: WordPress GS Testimonial Slider plugin <= 1.9.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in GS Plugins GS Testimonial Slider plugin <= 1.9.1 at WordPress.

CVE-2022-33943: BxSlider WP

Authenticated (contributor or higher user role) Cross-Site Scripting (XSS) vulnerability in Nico Amarilla's BxSlider WP plugin <= 2.0.0 at WordPress.

Hackers Increasingly Using WebAssembly Coded Cryptominers to Evade Detection

As many as 207 websites have been infected with malicious code designed to launch a cryptocurrency miner by leveraging WebAssembly (Wasm) on the browser. Web security company Sucuri, which published details of the campaign, said it launched an investigation after one of its clients had their computer slowed down significantly every time upon navigating to their own WordPress portal. This

CVE-2022-36375: WordPress Tabs plugin <= 3.6.0 - Authenticated WordPress Options Change vulnerability - Patchstack

Authenticated (high role user) WordPress Options Change vulnerability in Biplob Adhikari's Tabs plugin <= 3.6.0 at WordPress.