Aggregator

CVE-2025-62921 | Pagup Bulk Auto Image Title Attribute Plugin up to 2.0.1 on WordPress cross site scripting

7 hours 26 minutes ago

A vulnerability marked as problematic has been reported in Pagup Bulk Auto Image Title Attribute Plugin up to 2.0.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-62921. The attack is possible to be carried out remotely. No exploit exists.

vuldb.com

CVE-2025-62917 | Jamel.Z Tooltipy Plugin up to 5.5.9 on WordPress cross site scripting

VulDB Recent Entries

7 hours 26 minutes ago

A vulnerability labeled as problematic has been found in Jamel.Z Tooltipy Plugin up to 5.5.9 on WordPress. This affects an unknown part. Executing manipulation can lead to cross site scripting. This vulnerability is handled as CVE-2025-62917. The attack can be executed remotely. There is not any exploit available.

vuldb.com

CVE-2025-62913 | wpopal Opal Service Plugin up to 1.9.1 on WordPress cross site scripting

VulDB Recent Entries

7 hours 26 minutes ago

A vulnerability identified as problematic has been detected in wpopal Opal Service Plugin up to 1.9.1 on WordPress. Affected by this issue is some unknown functionality. Performing manipulation results in cross site scripting. This vulnerability is known as CVE-2025-62913. Remote exploitation of the attack is possible. No exploit is available.

vuldb.com

CVE-2025-62912 | SiteGround Email Marketing Plugin up to 1.7.1 on WordPress cross site scripting

VulDB Recent Entries

7 hours 26 minutes ago

A vulnerability categorized as problematic has been discovered in SiteGround Email Marketing Plugin up to 1.7.1 on WordPress. Affected by this vulnerability is an unknown functionality. Such manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-62912. The attack may be launched remotely. There is no exploit available.

vuldb.com

CVE-2025-62911 | Rock Content Rock Convert Plugin up to 3.0.1 on WordPress cross site scripting

VulDB Recent Entries

7 hours 26 minutes ago

A vulnerability was found in Rock Content Rock Convert Plugin up to 3.0.1 on WordPress. It has been rated as problematic. Affected is an unknown function. This manipulation causes cross site scripting. This vulnerability appears as CVE-2025-62911. The attack may be initiated remotely. There is no available exploit.

vuldb.com

3000 个 YouTube 视频实为恶意软件陷阱

HackerNews

7 hours 30 minutes ago

HackerNews 编译，转载请注明出处：一个恶意YouTube账号网络被曝光，该网络通过发布和推广诱导用户下载恶意软件的视频，滥用了这一视频托管平台的普及度和用户信任来传播恶意负载。该网络自2021年开始活跃，迄今已发布了超过3000个恶意视频，且自今年年初以来此类视频数量增加了两倍。Check Point将其命名为”YouTube幽灵网络”。谷歌已介入移除了其中大部分视频。该活动利用被黑客入侵的账号，将其内容替换为以盗版软件和Roblox游戏作弊工具为中心的”恶意”视频，从而感染那些搜索这些内容而不幸中招的用户，使其感染信息窃取程序。其中一些视频的观看量高达数十万次，范围在14.7万到29.3万之间。 “这次行动利用了包括观看量、点赞和评论在内的信任信号，使恶意内容看起来安全，” Check Point 安全研究组经理 Eli Smadja 说。”看似有用的教程，实际上可能是一个精巧的网络陷阱。这个网络的规模、模块化和复杂程度，为威胁行为体如何武器化互动工具来传播恶意软件提供了一个蓝图。” 利用YouTube分发恶意软件并非新现象。多年来，威胁行为体一直被观察到劫持合法频道或使用新创建的账号发布教程式视频，并在描述中提供恶意链接，点击后会导致恶意软件感染。这些攻击是更广泛趋势的一部分，攻击者将合法平台重新用于邪恶目的，将其变为有效的恶意软件分发渠道。虽然一些活动滥用了与谷歌或必应等搜索引擎相关的合法广告网络，但其他活动则利用GitHub作为传播载体，例如”Stargazers幽灵网络”案例。 “幽灵网络”能够大行其道的主要原因之一是，它们不仅可用于放大所分享链接的感知合法性，而且由于其基于角色的结构，即使在账号被平台所有者封禁或删除后，仍能保持运营连续性。 “这些账号利用各种平台功能，如视频、描述、帖子和评论来推广恶意内容并分发恶意软件，同时制造一种虚假的信任感，”安全研究员 Antonis Terefos 表示。 “该网络大部分由被入侵的YouTube账号组成，这些账号一旦被纳入，就会被分配特定的操作角色。这种基于角色的结构实现了更隐蔽的分发，因为被禁账号可以迅速被替换，而不会中断整体运营。” 具体存在三种类型的账号：视频账号：上传诱导性视频，并在描述中提供下载所宣传软件的链接（或者，链接以置顶评论的形式分享，或直接在视频中作为安装过程的一部分提供）。帖子账号：负责发布包含外部网站链接的社区消息和帖子。互动账号：负责点赞和发布鼓励性评论，为视频披上信任和可信度的外衣。这些链接将用户引导至各种服务，如MediaFire、Dropbox或Google Drive，或托管在Google Sites、Blogger和Telegraph上的钓鱼页面，这些页面进而包含下载所谓软件的链接。在许多情况下，链接使用URL缩短器进行隐藏以掩盖真实目的地。通过YouTube幽灵网络分发的一些恶意软件家族包括Lumma Stealer、Rhadamanthys Stealer、StealC Stealer、RedLine Stealer、Phemedrone Stealer以及其他基于Node.js的加载器和下载器：一个名为 @Sound_Writer（拥有9690名订阅者）的频道，被入侵超过一年，用于上传加密货币软件视频以部署Rhadamanthys。一个名为 @Afonesio1（拥有12.9万名订阅者）的频道，在2024年12月3日和2025年1月5日被入侵，上传了一个宣传Adobe Photoshop破解版的视频，用于分发一个MSI安装程序，该安装程序会部署Hijack Loader，进而传递Rhadamanthys。 “恶意软件分发方法的持续演变，表明了威胁行为体在绕过传统安全防御方面卓越的适应性和资源丰富性，” Check Point 表示。”对手正越来越多地转向更复杂的、基于平台的策略，最显著的是部署’幽灵网络’。” “这些网络利用合法账号固有的信任以及流行平台的互动机制，来策划大规模、持久且高效的恶意软件活动。” 消息来源：thehackernews；本文由 HackerNews.cc 翻译整理，封面来源于网络；转载请注明“转自 HackerNews.cc”并附上原文

hackernews

CVE-2025-62910 | deshine Video Gallery by Huzzaz Plugin up to 10.5 on WordPress cross site scripting

VulDB Recent Entries

7 hours 31 minutes ago

A vulnerability was found in deshine Video Gallery by Huzzaz Plugin up to 10.5 on WordPress. It has been declared as problematic. This impacts an unknown function. The manipulation results in cross site scripting. This vulnerability is reported as CVE-2025-62910. The attack can be launched remotely. No exploit exists.

vuldb.com

CVE-2025-62899 | Thrive Photospace Responsive Plugin up to 2.2.0 on WordPress cross site scripting

VulDB Recent Entries

7 hours 31 minutes ago

A vulnerability was found in Thrive Photospace Responsive Plugin up to 2.2.0 on WordPress. It has been classified as problematic. This affects an unknown function. The manipulation leads to cross site scripting. This vulnerability is documented as CVE-2025-62899. The attack can be initiated remotely. There is not any exploit available.

vuldb.com

CVE-2025-62905 | Justin Tadlock Query Posts Plugin up to 0.3.2 on WordPress cross site scripting

VulDB Recent Entries

7 hours 31 minutes ago

A vulnerability was found in Justin Tadlock Query Posts Plugin up to 0.3.2 on WordPress and classified as problematic. The impacted element is an unknown function. Executing manipulation can lead to cross site scripting. This vulnerability is registered as CVE-2025-62905. It is possible to launch the attack remotely. No exploit is available.

vuldb.com

CVE-2025-62900 | WeblineIndia Popular Posts Plugin up to 1.1.1 on WordPress cross site scripting

VulDB Recent Entries

7 hours 31 minutes ago

A vulnerability has been found in WeblineIndia Popular Posts Plugin up to 1.1.1 on WordPress and classified as problematic. The affected element is an unknown function. Performing manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2025-62900. It is possible to initiate the attack remotely. There is no exploit available.

vuldb.com

从JFinal4.5 CMS 接触JAVA代码审计

先知技术社区

7 hours 31 minutes ago

从初学者的角度来进行代码审计

Птицы больше не поют. В «Кремниевой долине 2.0» гул серверов Amazon и Google заменил звуки природы

Securitylab.ru

7 hours 32 minutes ago

Жители Лаудона покупали дома подальше от цивилизации, но серверные фермы нашли их и там.

美国以能源为抓手推动地缘政治遏制与印太战略重构对华影响分析

情报分析师

7 hours 32 minutes ago

2025年10月，美国财政部长斯科特·贝森特在华盛顿与日本财务大臣加藤胜信密谈，要求日本停止进口俄罗斯能源；

鲜为人知的 X/Twitter 高级精准搜索技能

情报分析师

7 hours 32 minutes ago

X平台已超越了单纯的社交网络，它现在是一个关键的数据收集工具。每秒钟大约有6,000条消息被发布。

CVE-2025-62898 | Maarten Links shortcode Plugin up to 1.8.3 on WordPress links-shortcode cross site scripting

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability, which was classified as problematic, was found in Maarten Links shortcode Plugin up to 1.8.3 on WordPress. Impacted is the function links-shortcode. Such manipulation leads to cross site scripting. This vulnerability is listed as CVE-2025-62898. The attack may be performed from remote. There is no available exploit.

vuldb.com

CVE-2025-62894 | magicoders ACF Recent Posts Widget Plugin up to 5.9.3 on WordPress cross site scripting

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability, which was classified as problematic, has been found in magicoders ACF Recent Posts Widget Plugin up to 5.9.3 on WordPress. This issue affects some unknown processing. This manipulation causes cross site scripting. This vulnerability is tracked as CVE-2025-62894. The attack is possible to be carried out remotely. No exploit exists.

vuldb.com

CVE-2025-62891 | Jory Hogeveen Off-Canvas Sidebars & Menus Plugin up to 0.5.8.5 on WordPress cross-site request forgery

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability classified as problematic was found in Jory Hogeveen Off-Canvas Sidebars & Menus Plugin up to 0.5.8.5 on WordPress. This vulnerability affects unknown code. The manipulation results in cross-site request forgery. This vulnerability is identified as CVE-2025-62891. The attack can be executed remotely. There is not any exploit available.

vuldb.com

CVE-2025-62887 | KingAddons King Addons for Elementor Plugin up to 51.1.37 on WordPress cross site scripting

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability classified as problematic has been found in KingAddons King Addons for Elementor Plugin up to 51.1.37 on WordPress. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-62887. Remote exploitation of the attack is possible. No exploit is available.

vuldb.com

CVE-2025-62885 | RexTheme WP VR Plugin up to 8.5.42 on WordPress cross site scripting

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability described as problematic has been identified in RexTheme WP VR Plugin up to 8.5.42 on WordPress. Affected by this issue is some unknown functionality. Executing manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2025-62885. The attack may be launched remotely. There is no exploit available.

vuldb.com

CVE-2025-62920 | webnique USERCENTRICS CMP Plugin up to 1.0.9 on WordPress cross site scripting

VulDB Recent Entries

7 hours 33 minutes ago

A vulnerability marked as problematic has been reported in webnique USERCENTRICS CMP Plugin up to 1.0.9 on WordPress. Affected by this vulnerability is an unknown functionality. Performing manipulation results in cross site scripting. This vulnerability was named CVE-2025-62920. The attack may be initiated remotely. There is no available exploit.

vuldb.com

Aggregator

Managed ad