April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more
April 2, 2024 at 02:40PM A misconfigured MediaWiki web server led to a data breach at the Open Web Application Security Project (OWASP) Foundation. Resumes of members from 2006 to around 2014, consisting of personal details, were accessed. OWASP is advising caution as the breached data could be used for identity fraud and phishing attempts. … Read more
April 2, 2024 at 12:45PM Google is introducing Device Bound Session Credentials (DBSC) to Chrome, preventing cookie theft by binding browser authentication sessions to the device. This technology, developed by the Web Incubator Community Group, uses private key authentication. DBSC ensures sessions are secure and deters cookie theft malware, with plans for widespread implementation by … Read more
March 22, 2024 at 08:33AM The Sign1 malware campaign has compromised 39,000 WordPress sites in six months, using malicious JavaScript injections to redirect users to scam sites. The recent variant infected 2,500 sites in the last two months alone. The campaign employs rogue JavaScript injected into legitimate HTML widgets and plugins, with time-based randomization to … Read more
March 21, 2024 at 12:48AM Ivanti has disclosed a critical remote code execution flaw, CVE-2023-41724, in Standalone Sentry with a CVSS score of 9.6. All supported versions are affected, and patches are available for download. The company credited security experts and mentioned that no customers are known to be affected. Other security flaws in Ivanti … Read more
March 11, 2024 at 11:15AM High-severity vulnerability in Ultimate Member plugin (CVE-2024-2123) enables injection of malicious scripts into WordPress sites. Insufficient input sanitization and output escaping in the plugin’s members directory list functionality allow unauthenticated attackers to inject web scripts and potentially gain administrative user access. Patch released on March 6, impacting versions 2.8.3 and … Read more
March 7, 2024 at 09:21AM Threat actors are launching distributed brute-force attacks on WordPress sites through malicious JavaScript injections, causing unauthorized access to target sites. This shift from crypto drainers to brute-force attacks may be driven by profit motives, as compromised sites can be monetized in various ways. Prior attacks have exploited vulnerabilities in WordPress … Read more
February 27, 2024 at 09:57AM A security vulnerability in LiteSpeed Cache plugin for WordPress (CVE-2023-40000) allows unauthenticated users to elevate privileges. Patchstack researcher Rafie Muhammad mentioned potential information theft and privilege escalation. The issue was fixed in version 5.7.0.1, and the latest version is 6.1, released on February 5, 2024. This follows Wordfence’s discovery of … Read more
February 26, 2024 at 10:21AM A critical SQL injection vulnerability in the Ultimate Member WordPress plugin with 200,000 installations allowed unauthenticated attackers to extract sensitive data by appending SQL queries. The flaw, tracked as CVE-2024-1071, was assigned a CVSS score of 9.8. The issue was resolved in the Ultimate Member version 2.8.3 on February 19. … Read more
February 21, 2024 at 06:45AM Google and Mozilla released updates for Chrome and Firefox, addressing multiple vulnerabilities. Chrome 122 resolves 12 security defects, including high-severity memory safety bugs, with bug bounties paid to researchers. Firefox 123 also addresses 12 vulnerabilities, categorized as high, medium, and low-severity flaws. Both companies state that no vulnerabilities have been … Read more