News, hints, manuals for CleanTalk anti-spam service
While monitoring exposed password databases we found a leaked database that contained 178 compromised credentials of CleanTalk users among other data. These emails/passwords were compromised some time ago and after that were used to create a CleanTalk account by their owners. As soon as we found this potential vulnerability – we immediately reset passwords for
While evaluating the plugin, we uncovered a vulnerability that permits the execution of Stored Cross-Site Scripting (XSS) on behalf of a contributor. This vulnerability is exploited by inserting a shortcode into a newly created post, potentially resulting in an account takeover. Main info: CVE CVE-2023-4795 Plugin Testimonial Slider Shortcode Critical High Publicly Published September 25,
During testing, a vulnerability was found that allows, through changing the settings, to implement Stored XSS on all pages where there is a mention of the plugin. This vulnerability is available on behalf of the administrator and allows you to leave javascript “backdoor” when capturing an administrative account, which will allow account takeover. Unfiltered_html capability
While examining the plugin during the testing phase, we uncovered a vulnerability that enables the execution of Stored Cross-Site Scripting (XSS) attacks, accomplished by incorporating a shortcode into a new post. This vulnerability has the potential to lead to the compromise of user accounts, particularly those of contributors. Main info: CVE CVE-2023-4646 Plugin Simple Posts
During the plugin’s testing phase, a vulnerability was identified that enables the execution of Stored XSS by an attacker who embeds a shortcode in a new post, potentially leading to an account takeover. Main info: CVE CVE-2023-4798 Plugin User Avatar – Reloaded Critical High Publicly Published September 25, 2023 Last Updated September 25, 2023 Researcher
During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users
In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover Main info: CVE CVE-2023-4289 Plugin WP Matterport Shortcode Critical High Publicly Published September 25, 2023 Last Updated September 25, 2023
During testing of the plugin, a CSRF vulnerability was discovered in action=rename, which can lead to denial of service and theft of the password from the database, thereby allowing an attacker to get inside the web application and gain a foothold in it. Replace any data in the database and do everything that an administrator
During a security assessment of the FileOrganizer plugin, a medium vulnerability was uncovered in versions up to and including 1.0.2. This vulnerability allows an attacker to manipulate the plugin’s root folder, potentially compromising the security of the entire system. The plugin does not restrict functionality on multisite instances, allowing site admins to gain full control
A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the