April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more
March 26, 2024 at 12:52PM The FBI and CISA issued a warning to software vendors about the prevalence of SQL injection vulnerabilities. They emphasized the need for formal code reviews and secure-by-design programming practices to eradicate these vulnerabilities from the development process. They also urged vendors to use parameterized queries and be transparent in disclosing … Read more
March 26, 2024 at 07:18AM CISA and the FBI advise organizations to review and eliminate SQL injection vulnerabilities in their commercial software, as such flaws pose a significant security risk. They urge technology manufacturers to conduct a formal code review and embrace secure-by-design principles in software development to prevent malicious exploitation and enhance cybersecurity. From … Read more
March 25, 2024 at 02:28PM CISA and FBI advised technology manufacturing executives to conduct formal software reviews and implement mitigations to eliminate SQL injection (SQLi) vulnerabilities. SQL injection attacks enable unauthorized access to sensitive data and can lead to data breaches and system takeover. They recommend using parameterized queries with prepared statements as a secure … Read more
March 21, 2024 at 11:18AM Security researchers have released a PoC exploit for a critical SQL injection vulnerability in Fortinet’s FortiClient EMS. Tracked as CVE-2023-48788, it impacts versions 7.0 and 7.2, allowing unauthenticated threat actors to gain RCE with SYSTEM privileges. With Horizon3’s PoC, attackers can modify it to use Microsoft SQL Server xp_cmdshell for … Read more
March 14, 2024 at 01:21AM Fortinet warns of critical flaw (CVE-2023-48788) in FortiClientEMS and two other bugs in FortiOS and FortiProxy, with a 9.3 CVSS score. Exploitation could result in unauthorized code execution. Upgrade affected versions as per the advisory. No current active exploitation, but immediate patching is crucial due to prior abuse of unpatched … Read more
February 27, 2024 at 01:09AM A critical security flaw (CVE-2024-1071) has been discovered in the Ultimate Member WordPress plugin, potentially allowing attackers to exploit SQL injection and extract sensitive data from the database. The issue has been addressed in version 2.8.3, following responsible disclosure. Users are strongly advised to update the plugin to mitigate potential … Read more
February 26, 2024 at 10:21AM A critical SQL injection vulnerability in the Ultimate Member WordPress plugin with 200,000 installations allowed unauthenticated attackers to extract sensitive data by appending SQL queries. The flaw, tracked as CVE-2024-1071, was assigned a CVSS score of 9.8. The issue was resolved in the Ultimate Member version 2.8.3 on February 19. … Read more
February 8, 2024 at 11:08PM Singapore-based cyber security firm Group-IB uncovered a group, dubbed “ResumeLooters,” operating across Asia, stealing sensitive data using SQL injection and XSS attacks. The victims were mainly job search websites and e-commerce companies in Asia, with evidence showing the attacks beginning as early as January 2023. The attackers attempted to gain … Read more
February 6, 2024 at 01:41PM Attackers dubbed “ResumeLooters” used SQL injection and cross-site scripting to target at least 65 job-recruitment and retail websites, stealing databases with over 2 million emails and personal records in a month. They mainly targeted victims in Asia-Pacific, putting stolen data up for sale. Group-IB discovered the attacks, and have advised … Read more