Aggregator

2025年3月20日，国家信息安全漏洞共享平台（CNVD）收录了Foxmail邮件客户端跨站脚本攻击漏洞（CNVD-2025-06036）。

2025年3月20日，国家信息安全漏洞共享平台（CNVD）收录了Foxmail邮件客户端跨站脚本攻击漏洞（CNVD-2025-06036）。

A vulnerability, which was classified as critical, was found in detheme DethemeKit for Elementor Plugin up to 2.1.10 on WordPress. Affected is an unknown function. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-32260. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability has been found in Woocommerce Advanced Product Organizer – Dynamic Sorting & Reordering Plugin up to 1.9 on WordPress and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing authorization. This vulnerability is known as CVE-2025-32236. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in themefusecom Brizy Plugin up to 2.6.14 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-32198. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in FooBox Image Lightbox Plugin up to 2.7.33 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-32139. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in vcita Contact Form Builder Plugin up to 4.10.2 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2025-32199. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Swatchly Plugin 1.2.8/1.4.0 on WordPress. Affected is an unknown function of the component Options Update Handler. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-2719. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in Embedder Plugin 1.3/1.3.5 on WordPress. Affected by this vulnerability is the function ajax_set_global_option. The manipulation leads to improper authorization. This vulnerability is known as CVE-2025-3417. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, has been found in ORDER POST Plugin up to 2.0.2 on WordPress. Affected by this issue is the function do_shortcode of the component Shortcode Handler. The manipulation leads to code injection. This vulnerability is handled as CVE-2025-2805. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in azurecurve Shortcodes in Comments Plugin up to 2.0.2 on WordPress. This affects the function do_shortcode of the component Shortcode Handler. The manipulation leads to code injection. This vulnerability is uniquely identified as CVE-2025-2809. It is possible to initiate the attack remotely. There is no exploit available.

A sophisticated cyber campaign orchestrated by the Russian state-backed group Storm-2372 has emerged, exploiting device code phishing tactics to circumvent Multi-Factor Authentication (MFA) security measures. This targeted approach represents a significant escalation in threat actors’ capabilities to defeat advanced security systems through social engineering, allowing attackers to gain unauthorized access to high-value targets without triggering […]

The post Russian APT Hackers Using Device Code Phishing Technique to Bypass MFA appeared first on Cyber Security News.

ИИ теперь работает лучше копирайтеров — и атакует 420000 сайтов.

Oracle confirmed a hacker stole credentials from two obsolete servers but said no Oracle Cloud systems or customer data were affected. Oracle confirmed a hacker stole and leaked credentials from two obsolete servers, but said no Oracle Cloud systems or customer data were affected. The threat actor accessed usernames from two outdated, non-Oracle Cloud Infrastructure […]

A sophisticated fraud scheme known as SMS pumping is quietly draining millions from businesses worldwide by exploiting SMS verification systems. This cybercrime tactic, similar to a modern-day toll scam, involves artificially inflating SMS traffic through automated means, generating fraudulent revenue while leaving legitimate businesses to absorb unexpected costs. The scheme has become increasingly prevalent as […]

The post Threat Actors Turning Messaging Service into a Cash Making Machine appeared first on Cyber Security News.

IRify使用实战-SQL注入详解，快来学习看看吧~

04月26日09:00-27日09:00 等你来战！

04月26日09:00-27日09:00 等你来战！