Aggregator

CVE-2019-25223 | nik00726 Team Circle Image Slider with Lightbox Plugin up to 1.0.4 on WordPress ID sql injection

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability was found in nik00726 Team Circle Image Slider with Lightbox Plugin up to 1.0.4 on WordPress. It has been classified as critical. Affected is an unknown function. The manipulation of the argument ID leads to sql injection. This vulnerability is traded as CVE-2019-25223. It is possible to launch the attack remotely. There is no exploit available.
vuldb.com

CVE-2025-2807 | Motors Plugin up to 1.4.64 on WordPress Plugin Installation mvl_setup_wizard_install_plugin authorization

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability classified as critical has been found in Motors Plugin up to 1.4.64 on WordPress. Affected is the function mvl_setup_wizard_install_plugin of the component Plugin Installation Handler. The manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-2807. It is possible to launch the attack remotely. There is no exploit available.
vuldb.com

CVE-2025-3437 | Motors Plugin up to 1.4.66 on WordPress Wizard ajax_actions.php authorization

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability was found in Motors Plugin up to 1.4.66 on WordPress. It has been declared as critical. This vulnerability affects unknown code of the file ajax_actions.php of the component Wizard. The manipulation leads to missing authorization. This vulnerability was named CVE-2025-3437. The attack can be initiated remotely. There is no exploit available.
vuldb.com

CVE-2025-2883 | Accept SagePay Payments Using Contact Form 7 Plugin phpinfo.php information disclosure

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability was found in Accept SagePay Payments Using Contact Form 7 Plugin up to 2.0 on WordPress. It has been rated as problematic. This issue affects some unknown processing of the file phpinfo.php. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2025-2883. The attack may be initiated remotely. There is no exploit available.
vuldb.com

Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities

The Hackers News
8 months 3 weeks ago
Google has shipped patches for 62 vulnerabilities, two of which it said have been exploited in the wild. The two high-severity vulnerabilities are listed below - CVE-2024-53150 (CVSS score: 7.8) - An out-of-bounds flaw in the USB sub-component of Kernel that could result in information disclosure CVE-2024-53197 (CVSS score: 7.8) - A privilege escalation flaw in the USB sub-component of Kernel
The Hacker News

CVE-2025-2882 | Green.Money GreenPay Plugin up to 3.0.9 on WordPress phpinfo.php information disclosure

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability was found in Green.Money GreenPay Plugin up to 3.0.9 on WordPress. It has been classified as problematic. This affects an unknown part of the file phpinfo.php. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2025-2882. It is possible to initiate the attack remotely. There is no exploit available.
vuldb.com

CVE-2025-2004 | WPMinds Simple WP Events Plugin up to 1.8.17 on WordPress wp-config.php wpe_delete_file denial of service

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability was found in WPMinds Simple WP Events Plugin up to 1.8.17 on WordPress and classified as critical. Affected by this issue is the function wpe_delete_file of the file wp-config.php. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-2004. The attack may be launched remotely. There is no exploit available.
vuldb.com

CVE-2025-3405 | FCJ Venture Builder appclientefiel 3.0.27 HTTP GET Request ObterPedido ORDER_ID resource injection

Vuldb Updates
8 months 3 weeks ago
A vulnerability was found in FCJ Venture Builder appclientefiel 3.0.27. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /rest/cliente/ObterPedido/ of the component HTTP GET Request Handler. The manipulation of the argument ORDER_ID leads to improper control of resource identifiers. This vulnerability is known as CVE-2025-3405. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

CVE-2025-32413 | CIRCL Vulnerability-Lookup up to 2.7.0 user.py cross site scripting

VulDB Recent Entries
8 months 3 weeks ago
A vulnerability has been found in CIRCL Vulnerability-Lookup up to 2.7.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file website/web/views/user.py. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2025-32413. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

E-ZPass收费系统在大规模网络钓鱼活动中频繁遭遇攻击

嘶吼
8 months 3 weeks ago

近期,冒充 E-ZPass 及其他收费机构的网络钓鱼活动愈演愈烈,收件人会收到多条 iMessage 和短信,企图窃取个人及信用卡信息。

这些信息中嵌入了链接,一旦点击,就会将受害者带到冒充 E-ZPass、The Toll Roads、FasTrak 或其他收费机构的钓鱼网站,试图窃取他们的个人信息,包括姓名、电子邮件地址、实际地址和信用卡信息。

这种诈骗手段并非新出现的,联邦调查局早在 2024 年 4 月就已发出过相关警告。这些短信绕过了反垃圾邮件措施,且来自看似随机的电子邮件地址,再加上攻击的规模,表明这仍是一次自动化攻击。

此次发现的诈骗短信冒充 E-ZPass 或机动车管理局直接发送。这些短信使用的语言带有紧迫感,比如称通行费需在一天或两天内支付,否则将产生额外费用,或者驾照将被吊销。

该活动中的网络钓鱼短信样本

苹果 iMessage 自动关闭来自未知发件人的信息链接,以保护用户免受短信钓鱼诈骗。为了绕过这一点,骗子会让用户回复文本,这样链接就可以点击了。

点击提供的链接将受害者带到一个E-ZPass网络钓鱼网站,除了URL,它看起来像一个合法的网站。安全研究人员测试表明,该钓鱼网站仅在手机上加载,因此桌面用户不会看到它。

受害者登录的钓鱼页面

在这种骗局中发送的短信数量如此之大,以至于用户对特定骗局发生频率表示沮丧,据统计,这种信息有时一天多达7条短信。

虽然这些信息的来源尚未确定,但最近发现了一个名为Lucid的新兴网络钓鱼即服务平台,该平台与这些类型的骗局有关。

Lucid和Darcula等平台使用加密的iMessage和RCS消息绕过传统的反垃圾邮件过滤器,发送大量文本,而不会产生与标准短信发送相关的成本。

如果用户收到其中一条消息,应该阻止并报告该号码,以便将电子邮件地址或电话号码报告给Apple。然而,作为一般规则,用户应尽量避免回应这些骗局。

对于那些担心他们有合法的未付款项的人,应该直接登录收费当局的网站来检查任何余额。邦调查局此前曾建议收件人在IC3门户网站上提出投诉。

胡金鱼

Managed ad