Orbit Fox by ThemeIsle <= 2.6.3 -Does not properly Authenticate REST API Calls


WooCommerce <= 3.4.5 – Authenticated Phar Deserialization


WooCommerce <= 3.4.5 – Authenticated Stored XSS


WPForms <= 1.4.8 – Unauthenticated Cross-Site Scripting (XSS)


Smush Image Compression and Optimization <= 2.9.1 – Authenticated Phar Deserialization


Fake Volkswagen Campaign Spreads Through Social Networks

We recently investigated a suspicious link received by one of my colleagues on WhatsApp. The message (in Portuguese) states that Volkswagen is offering 20 free cars until the end of the year, and directs users to participate on a site that has been apparently crafted especially for this “event”. After an initial investigation, it became clear that something was not right with the site. Several security vendors blacklisted it as a phishing site–although fishy, none of the classic phishing characteristics were present. Continue reading Fake Volkswagen Campaign Spreads Through Social Networks at Sucuri Blog.

Social Sharing Plugin – Kiwi <= 2.0.10 – Update Any Option


3 Best WordPress Security Plugins Compared

The post 3 Best WordPress Security Plugins Compared appeared first on BlogVault – The Most Reliable WordPress Management Service.

Localization and Customization of Credit Card Stealing Malware

Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site. Recently, we’ve come across another level of customization. Fake Payment Form in Bulgarian A compromised Magento site had the following script injected into its core_config_data table. hxxps://elegrina[.]com/assets/<domain>.js,  where <domain> was the second-level domain of the infected site. Continue reading Localization and Customization of Credit Card Stealing Malware at Sucuri Blog.

PropertyHive <= 1.4.25 – Unvalidated Input to do_action()