Sucuri company specialists found significnat vulnerabilities in Duplicate Page plugin. This plugin is installed and…
Two flaws are present in Messenger Customer Chat and Facebook for WooCommerce plugins. The first allows setting up a Messenger chat window on a site, while second allows WordPress site owners to upload their WooCommerce stores to Facebook pages.
Messenger Customer Chat installed more than 20,000 web resources, Facebook for WooCommerce turned out to be much more popular, with 200,000 installations.
Security issues discovered by researchers represent the possibility of a “cross-site request forgery” (CSRF). Using these vulnerabilities, an authenticated user can change the site settings on the WordPress engine.
Operation can take place under two scenarios:
Despite the lack of corrections, the American company White Fir Design (database administrator for the Plugin Vulnerabilities service) published details about vulnerabilities in two official plugins for WordPress from Facebook. The reason why researchers have put hundreds of thousands of sites at risk is to annoy the WordPress moderators.
After several years of controversy, Plugin Vulnerabilities decided that it would not follow the rules of WordPress.org forums, obliging users to report vulnerabilities in plugins not via forums, but via email. In recent years, the Plugin Vulnerabilities team stubbornly violated these requirements, and as a result, were blocked their forum accounts.
Outraged researchers decided to “take revenge” on WordPress.org and instead of reporting their findings to the developers of problematic plugins, they began to publish details about the vulnerabilities in their blog, accompanying them with PoC-exploits. Thus, they described in detail vulnerabilities in Easy WP SMTP, Yuzo Related Posts, Social Warfare, Yellow Pencil Plugin and WooCommerce Checkout Manager, to which cybercriminals were delighted, who immediately added vulnerabilities to their active campaigns.
Source: For ethical reasons, we will not publish link to these vulnerabilities.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…