Cross Site Scripting in YITH WooCommerce Ajax Product Filter
John Castro During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+ users of the YITH WooCommerce…
Browsing Category
Vulnerability Disclosure
254 posts
Vulnerable Plugins: June 2020 Update
This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities. Plugin Vulnerability Patched Version…
Vulnerabilities Digest: May 2020
Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs WP Product Review Unauthenticated Stored XSS 3.7.6 40000 Form Maker by 10Web Authenticated SQL Injection —…
Unauthenticated Stored Cross Site Scripting in WP Product Review
During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review…
Vulnerabilities Digest: April 2020
Relevant Plugins and Vulnerabilities: Plugin Vulnerability Patched Version Installs Widget Settings Importer/Exporter Stored XSS Closed 40000 Accordion Stored/Reflected XSS 2.2.9 30000 Support Ticket System By…
OneTone Vulnerability Leads to JavaScript Cookie Hijacking
Luke Leal A vulnerability in the discontinued WordPress theme OneTone has been added to an ongoing campaign that is targeting vulnerable WordPress websites and causes malicious redirects…
Vulnerabilities Digest: March 2020
Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Cookiebot Reflected Cross-Site Scripting 3.6.1 40000 Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000…
Vulnerabilities Digest: February 2020
Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Duplicator Arbitrary File Download 1.3.28 1000000 Modula Image Gallery Authenticated Stored XSS 2.2.5 70000 Easy Property…
Stored XSS in Elementor
Marc-Alexandre Montpas During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor Page Builder plugin, which powers…
Authentication Bypass Vulnerability in InfiniteWP Client <= 1.9.4.4
An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to…
Zero-Day RCE in vBulletin v5.0.0-v5.5.4
A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the full disclosure mailing list this past Monday. This…