Security
Headlines
HeadlinesLatestCVEs

Tag

#wordpress

WordPress plugin security audit unearths dozens of vulnerabilities impacting 60,000 websites

Unauthenticated SQL injection bugs put thousands of WordPress sites under threat

PortSwigger
Open in Source
#sql#vulnerability#web#wordpress#php#rce#auth
CVE-2022-29454: Better Messages – Live Chat for WordPress, BuddyPress, BuddyBoss, Ultimate Member, PeepSo

Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress allows attackers to upload files. File attachment to messages must be activated.

CVE-2022-29923: Quick Restaurant Reservations

Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in ThingsForRestaurants Quick Restaurant Reservations plugin <= 1.4.1 at WordPress.

CVE-2021-36849: WordPress Social Media Share Buttons plugin <= 3.8.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in René Hermenau's Social Media Share Buttons plugin <= 3.8.1 at WordPress.

CVE-2021-31858: CVE-2021-31858 Stored Cross-Site Scripting in DotNetNuke

DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.

PayPal phishing campaign goes after more than just your login credentials

Scammers have created a PayPal phishing campaign that extensively asks for sensitive information, including government IDs and headshot photos. The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.

Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately!

We take a look at a WordPress plugin, abandoned and open to JavaScript related exploitation. Uninstall it now! The post Warning for WordPress admins: uninstall the Modern WPBakery plugin immediately! appeared first on Malwarebytes Labs.

WordPress Page Builder Plug-in Under Attack, Can't Be Patched

An ongoing campaign is actively targeting the vulnerability in the Kaswara Modern WPBakery Page Builder Addon, which is still installed on up to 8,000 sites, security analysts warn.

CVE-2022-2435: anymind-widget-id.php in anymind-widget/trunk – WordPress Plugin Repository

The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.

CVE-2022-2101: WordPress Download Manager 3.2.43 Cross Site Scripting ≈ Packet Storm

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `file[files][]` parameter in versions up to, and including, 3.2.46 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level permissions and above to inject arbitrary web scripts on the file's page that will execute whenever an administrator accesses the editor area for the injected file page.