December 12, 2024 at 05:15AM A critical vulnerability (CVE-2024-11972, CVSS 9.8) in the Hunk Companion WordPress plugin allows attackers to install malicious plugins, risking Remote Code Execution and other exploits. This flaw impacts all versions prior to 1.9.0 and has over 10,000 installations. Additionally, a related vulnerability in WPForms also poses risks. ### Meeting Takeaways … Read more
November 26, 2024 at 08:42AM Two critical vulnerabilities (CVE-2024-10542 and CVE-2024-10781) in WordPress’s CleanTalk plugin could enable attackers to install malicious plugins, potentially leading to remote code execution. With a CVSS score of 9.8, users are urged to update to versions 6.44 or 6.45 to mitigate risks against unauthorized access. **Meeting Takeaways: Vulnerability / Website … Read more
November 17, 2024 at 11:57PM A critical authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress could allow attackers to gain full admin access. Affecting over 4 million sites, the vulnerability has been patched in version 9.1.2 after responsible disclosure. Similar vulnerabilities were also found in WPLMS Learning Management System. ### Meeting … Read more
September 11, 2024 at 01:37PM Starting October 1st, WordPress.org requires two-factor authentication for accounts that can push updates to plugins and themes. This decision aims to reduce the risk of unauthorized access and supply-chain attacks. The 2FA security feature needs to be activated, and SVN-specific passwords have been added for making code changes. Technical limitations … Read more
April 20, 2024 at 05:07PM The popular Forminator WordPress plugin, utilized on over 500,000 sites, is susceptible to a critical vulnerability allowing malicious file uploads to servers. This flaw, detailed by Japan’s CERT, includes potential for sensitive data access, site alteration, and a denial-of-service condition. Site admins are cautioned to promptly update to version 1.29.3 … Read more
April 4, 2024 at 11:46AM A researcher was awarded a $5,500 bug bounty for identifying a vulnerability (CVE-2024-2879) in LayerSlider, a widely used plug-in with over a million active installations. The meeting notes indicate that a researcher received a $5,500 bug bounty for discovering a vulnerability (CVE-2024-2879) in LayerSlider, a plug-in with more than a … Read more
March 13, 2024 at 09:27AM Salt Security analyzed ChatGPT plugins and uncovered vulnerabilities that could be exploited to access sensitive data and take over accounts on third-party websites. These vulnerabilities affected the OAuth authentication process, potentially leading to unauthorized data access and account takeovers. Vendors were promptly notified and patches were implemented. Additionally, future GPTs … Read more
March 10, 2024 at 11:42AM Hackers are exploiting an XSS vulnerability in outdated Popup Builder plugin versions, infecting over 3,300 WordPress sites with malicious code. A new campaign targeting the same vulnerability has seen a notable uptick, with Sucuri reporting 1,170 infections. To defend against these attacks, users are advised to upgrade to Popup Builder … Read more