Found 56 bookmarks
Custom sorting
The Race to Patch: Attackers Leverage Sample Exploit Code in Wordpress Plugin | Akamai
The Race to Patch: Attackers Leverage Sample Exploit Code in Wordpress Plugin | Akamai
The time for attackers to respond to known vulnerabilities is shrinking. See an example of an attacker using sample code. * The Akamai Security Intelligence Group (SIG) has been analyzing attack attempt activity following the announcement of a critical vulnerability in a WordPress custom fields plug-in affecting more than 2 million sites. * Exploiting this vulnerability could lead to a reflected cross-site scripting (XSS) attack, in which malicious code is injected into a victim site and pushed to its visitors. * On May 4, 2023, the WP Engine team announced the security fix in version 6.1.6, including sample exploit code as a proof of concept (PoC). * Starting on May 6, less than 48 hours after the announcement, the SIG observed significant attack attempt activity, scanning for vulnerable sites using the sample code provided in the technical write-up. * This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management.
#akamai#EN#2023#XSS#vulnerability#WordPress#plugin#third-party-risk#CVE-2023-30777
·akamai.com·
The Race to Patch: Attackers Leverage Sample Exploit Code in Wordpress Plugin | Akamai
Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites
Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites
This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2. Patchstack Developer and Business plan users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities […]
#patchstack#EN#2023#WP#Wordpress#Elementor
·patchstack.com·
Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites
WordPress Advanced Custom Fields Pro plugin 6.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
WordPress Advanced Custom Fields Pro plugin 6.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.
#patchstack#EN#2023#WP#CVE-2023-30777#Advanced#Custom#Fields#Pro#plugin#XSS#vulnerability#Wordpress
·patchstack.com·
WordPress Advanced Custom Fields Pro plugin 6.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 ( ZDI-22-020
#zerodayinitiative#EN#2022#CVE-2022-21661#SQL-injection#vulnerability#WordPress
·zerodayinitiative.com·
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information. ...Read More
#wordfence#EN#2022#Wordpress#vulnerability#0-day#BackupBuddy#plugin
·wordfence.com·
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator. The plugin developers quickly replied ...Read More
#Wordfence#2022#EN#JupiterX#Wordpress#theme#Privilege#CVE-2022-1654#CVE-2022-1656#CVE-2022-1657#CVE-2022-1658#CVE-2022-1659
·wordfence.com·
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin ...Read More
#wordfence#EN#Wordpress#plugin#PHPEverywhere#CVE-2022-24664#CVE-2022-24665#CVE-2022-24663
·wordfence.com·
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 ( ZDI-22-020
#zerodayinitiative#EN#2022#CVE-2022-21661#SQL-injection#vulnerability#WordPress
·zerodayinitiative.com·
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
Late evening, on September 6, 2022, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in BackupBuddy, a WordPress plugin we estimate has around 140,000 active installations. This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information. ...Read More
#wordfence#EN#2022#Wordpress#vulnerability#0-day#BackupBuddy#plugin
·wordfence.com·
PSA: Nearly 5 Million Attacks Blocked Targeting 0-Day in BackupBuddy Plugin
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator. The plugin developers quickly replied ...Read More
#Wordfence#2022#EN#JupiterX#Wordpress#theme#Privilege#CVE-2022-1654#CVE-2022-1656#CVE-2022-1657#CVE-2022-1658#CVE-2022-1659
·wordfence.com·
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin ...Read More
#wordfence#EN#Wordpress#plugin#PHPEverywhere#CVE-2022-24664#CVE-2022-24665#CVE-2022-24663
·wordfence.com·
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator. The plugin developers quickly replied ...Read More
#Wordfence#2022#EN#JupiterX#Wordpress#theme#Privilege#CVE-2022-1654#CVE-2022-1656#CVE-2022-1657#CVE-2022-1658#CVE-2022-1659
·wordfence.com·
Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin ...Read More
#wordfence#EN#Wordpress#plugin#PHPEverywhere#CVE-2022-24664#CVE-2022-24665#CVE-2022-24663
·wordfence.com·
Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution