Orbit Fox by ThemeIsle <= 2.6.3 -Does not properly Authenticate REST API Calls

https://wpvulndb.com/vulnerabilities/9167

WooCommerce <= 3.4.5 – Authenticated Phar Deserialization

https://wpvulndb.com/vulnerabilities/9166

WooCommerce <= 3.4.5 – Authenticated Stored XSS

https://wpvulndb.com/vulnerabilities/9165

WPForms <= 1.4.8 – Unauthenticated Cross-Site Scripting (XSS)

https://wpvulndb.com/vulnerabilities/9164

Smush Image Compression and Optimization <= 2.9.1 – Authenticated Phar Deserialization

https://wpvulndb.com/vulnerabilities/9162

Fake Volkswagen Campaign Spreads Through Social Networks

http://feedproxy.google.com/~r/sucuri/blog/~3/kpTyhrK5u6A/fake-volkswagen-campaign-spreads-through-social-networks.html
We recently investigated a suspicious link received by one of my colleagues on WhatsApp. The message (in Portuguese) states that Volkswagen is offering 20 free cars until the end of the year, and directs users to participate on a site that has been apparently crafted especially for this “event”. After an initial investigation, it became clear that something was not right with the site. Several security vendors blacklisted it as a phishing site–although fishy, none of the classic phishing characteristics were present. Continue reading Fake Volkswagen Campaign Spreads Through Social Networks at Sucuri Blog.

Social Sharing Plugin – Kiwi <= 2.0.10 – Update Any Option

https://wpvulndb.com/vulnerabilities/9161

3 Best WordPress Security Plugins Compared

https://blogvault.net/best-wordpress-security-plugins/
The post 3 Best WordPress Security Plugins Compared appeared first on BlogVault – The Most Reliable WordPress Management Service.

Localization and Customization of Credit Card Stealing Malware

http://feedproxy.google.com/~r/sucuri/blog/~3/p4a9Wc1wEWg/localization-and-customization-of-credit-card-stealing-malware.html
Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site. Recently, we’ve come across another level of customization. Fake Payment Form in Bulgarian A compromised Magento site had the following script injected into its core_config_data table. hxxps://elegrina[.]com/assets/<domain>.js,  where <domain> was the second-level domain of the infected site. Continue reading Localization and Customization of Credit Card Stealing Malware at Sucuri Blog.

PropertyHive <= 1.4.25 – Unvalidated Input to do_action()

https://wpvulndb.com/vulnerabilities/9160