βΌ CVE-2021-24858 βΌ
π Read
via "National Vulnerability Database".
The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injectionπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25083 βΌ
π Read
via "National Vulnerability Database".
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25076 βΌ
π Read
via "National Vulnerability Database".
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24694 βΌ
π Read
via "National Vulnerability Database".
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24696 βΌ
π Read
via "National Vulnerability Database".
The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloadsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25079 βΌ
π Read
via "National Vulnerability Database".
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin pageπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25015 βΌ
π Read
via "National Vulnerability Database".
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25013 βΌ
π Read
via "National Vulnerability Database".
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary postsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25080 βΌ
π Read
via "National Vulnerability Database".
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entryπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24968 βΌ
π Read
via "National Vulnerability Database".
The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questionsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24985 βΌ
π Read
via "National Vulnerability Database".
The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issuesπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25074 βΌ
π Read
via "National Vulnerability Database".
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24974 βΌ
π Read
via "National Vulnerability Database".
The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24865 βΌ
π Read
via "National Vulnerability Database".
The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25062 βΌ
π Read
via "National Vulnerability Database".
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24965 βΌ
π Read
via "National Vulnerability Database".
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in adminsπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24733 βΌ
π Read
via "National Vulnerability Database".
The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25031 βΌ
π Read
via "National Vulnerability Database".
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scriptingπ Read
via "National Vulnerability Database".
ποΈ Chain of vulnerabilities led to RCE on Cisco Prime servers ποΈ
π Read
via "The Daily Swig".
Full chain exploit ready for Prime timeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Chain of vulnerabilities led to RCE on Cisco Prime servers
Full chain exploit ready for Prime time
β Alleged carder gang mastermind and three acolytes under arrest in Russia β
π Read
via "Naked Security".
The motto of the gang was "In Fraud We Trust", and they went by a dizzying range of online nicknames.π Read
via "Naked Security".
Naked Security
Alleged carder gang mastermind and three acolytes under arrest in Russia
The motto of the gang was βIn Fraud We Trustβ, and they went by a dizzying range of online nicknames.
ποΈ OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu ποΈ
π Read
via "The Daily Swig".
Movie translation site asked victims to reset passwordsβ¦ then sent them in clear textπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
OpenSubtitles data breach: Users asked to re-secure accounts after plaintext password snafu
Movie translation site asked victims to reset passwords⦠then sent them in clear text