βΌ CVE-2023-0749 βΌ
π Read
via "National Vulnerability Database".
The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25170 βΌ
π Read
via "National Vulnerability Database".
PrestaShop is an open source e-commerce web application that, prior to version 8.0.1, is vulnerable to cross-site request forgery (CSRF). When authenticating users, PrestaShop preserves session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. The problem is fixed in version 8.0.1.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0844 βΌ
π Read
via "National Vulnerability Database".
The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).π Read
via "National Vulnerability Database".
βΌ CVE-2023-0066 βΌ
π Read
via "National Vulnerability Database".
The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0477 βΌ
π Read
via "National Vulnerability Database".
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0772 βΌ
π Read
via "National Vulnerability Database".
The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0172 βΌ
π Read
via "National Vulnerability Database".
The Juicer WordPress plugin before 1.11 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0073 βΌ
π Read
via "National Vulnerability Database".
The Client Logo Carousel WordPress plugin through 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4466 βΌ
π Read
via "National Vulnerability Database".
The WordPress Infinite Scroll WordPress plugin before 5.6.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4661 βΌ
π Read
via "National Vulnerability Database".
The Widgets for WooCommerce Products on Elementor WordPress plugin before 1.0.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0219 βΌ
π Read
via "National Vulnerability Database".
The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML.π Read
via "National Vulnerability Database".
βΌ CVE-2022-4652 βΌ
π Read
via "National Vulnerability Database".
The Video Background WordPress plugin before 2.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacksπ Read
via "National Vulnerability Database".
π΄ Hike in AI-Created YouTube Videos Loaded With Malware π΄
π Read
via "Dark Reading".
AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more.π Read
via "Dark Reading".
Dark Reading
AI-Created YouTube Videos Spread Around Malware
AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more.
π΄ Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures π΄
π Read
via "Dark Reading".
AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.π Read
via "Dark Reading".
Dark Reading
Brand Names in Finance, Telecom, Tech Lead Successful Phishing Lures
AT&T, PayPal, and Microsoft top the list of domains that victims visit following a link in a phishing email, as firms fight to prevent fraud and credential harvesting.
βΌ CVE-2021-45423 βΌ
π Read
via "National Vulnerability Database".
A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports function from exports.c.. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27010 βΌ
π Read
via "National Vulnerability Database".
Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.π Read
via "National Vulnerability Database".
βΌ CVE-2023-1378 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as critical was found in SourceCodester Friendly Island Pizza Website and Ordering System 1.0. This vulnerability affects unknown code of the file paypalsuccess.php of the component POST Parameter Handler. The manipulation of the argument cusid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222904.π Read
via "National Vulnerability Database".
βΌ CVE-2023-27580 βΌ
π Read
via "National Vulnerability Database".
CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the vulnerability. Therefore, they should be removed as soon as possible. If an attacker gets (1) the user's hashed password by Shield, and (2) the hashed password (SHA-384 hash without salt) from somewhere, the attacker may easily crack the user's password. Upgrade to Shield v1.0.0-beta.4 or later to fix this issue. After upgrading, all usersΓ’β¬β’ hashed passwords should be updated (saved to the database). There are no known workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2023-25279 βΌ
π Read
via "National Vulnerability Database".
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0973 βΌ
π Read
via "National Vulnerability Database".
STEPTools v18SP1 ifcmesh library (v18.1) is affected due to a null pointer dereference, which could allow an attacker to deny application usage when reading a specially constructed file, resulting in an application crash.π Read
via "National Vulnerability Database".
π΄ 200-300% Increase in AI-Generated YouTube Videos to Spread Stealer Malware π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
200-300% Increase in AI-Generated YouTube Videos to Spread Stealer Malware
BENGALURU, March 10 β CloudSEK researchers have detected an increase of 200-300% month-on-month in YouTube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions since November 2022.