Aggregator

A vulnerability was found in tempranova WP Mapbox GL JS Maps Plugin up to 3.0.1 on WordPress. It has been declared as problematic. Affected by this issue is some unknown functionality. Such manipulation leads to cross site scripting. This vulnerability is documented as CVE-2025-62942. The attack can be executed remotely. There is not any exploit available.

A vulnerability was found in RealMag777 MDTF Plugin up to 1.3.4 on WordPress. It has been classified as critical. Affected by this vulnerability is an unknown functionality. This manipulation causes missing authorization. This vulnerability is registered as CVE-2025-62964. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in videowhisper Paid Videochat Turnkey Site Plugin up to 7.3.22 on WordPress and classified as critical. Affected is an unknown function. The manipulation results in code injection. This vulnerability is cataloged as CVE-2025-62959. The attack may be launched remotely. There is no exploit available.

目前还没有证据表明 AI 能显著提高生产力，然而今天企业大幅裁员时通常会把 AI 作为借口。Oxford Internet Institute 的 AI 和工作助理教授 Fabian Stephany 怀疑裁员与新技术带来的效率提升相关，企业只是将 AI 作为裁员的借口。Stephany 表示，企业以此将自己定位在 AI 技术的前沿，展现创新性和竞争力，同时掩盖裁员的真实原因。很多企业在新冠疫情期间招聘了太多员工，近期的裁员可能只是一种“市场清理”。Jean-Christophe Bouglé 在一篇热门的 LinkedIn 帖子中表示，AI 普及速度比宣称的慢得多，大型企业中 AI 进展缓慢，甚至会由于成本或安全问题而推迟部署 AI 项目。在很多国家经济放缓的背景下，企业以 AI 为借口推行大规模裁员。

A vulnerability has been found in aviplugins Custom Post Type Attachment Plugin up to 3.4.6 on WordPress and classified as problematic. This impacts an unknown function. The manipulation leads to cross site scripting. This vulnerability is listed as CVE-2025-62907. The attack may be initiated remotely. There is no available exploit.

A vulnerability, which was classified as problematic, was found in Ben Huson WP Geo Plugin up to 3.5.1 on WordPress. This affects an unknown function. Executing manipulation can lead to cross site scripting. This vulnerability is tracked as CVE-2025-62904. The attack can be launched remotely. No exploit exists.

A vulnerability, which was classified as problematic, has been found in Joe Open Currency Converter Plugin up to 1.5.0 on WordPress. The impacted element is an unknown function. Performing manipulation results in cross site scripting. This vulnerability is identified as CVE-2025-62939. The attack can be initiated remotely. There is not any exploit available.

A vulnerability classified as problematic was found in Johnny Post List Featured Image Plugin up to 0.5.9 on WordPress. The affected element is an unknown function. Such manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-62937. It is possible to launch the attack remotely. No exploit is available.

A vulnerability classified as problematic has been found in RomanCode MapSVG Plugin up to 8.7.15 on WordPress. Impacted is an unknown function. This manipulation causes cross site scripting. The identification of this vulnerability is CVE-2025-62930. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as problematic has been identified in Debuggers Studio Marquee Addons for Elementor Plugin up to 3.7.12 on WordPress. This issue affects some unknown processing. The manipulation results in cross site scripting. This vulnerability was named CVE-2025-62923. The attack may be performed from remote. There is no available exploit.

A vulnerability marked as problematic has been reported in Pagup Bulk Auto Image Title Attribute Plugin up to 2.0.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-62921. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as problematic has been found in Jamel.Z Tooltipy Plugin up to 5.5.9 on WordPress. This affects an unknown part. Executing manipulation can lead to cross site scripting. This vulnerability is handled as CVE-2025-62917. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in wpopal Opal Service Plugin up to 1.9.1 on WordPress. Affected by this issue is some unknown functionality. Performing manipulation results in cross site scripting. This vulnerability is known as CVE-2025-62913. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability categorized as problematic has been discovered in SiteGround Email Marketing Plugin up to 1.7.1 on WordPress. Affected by this vulnerability is an unknown functionality. Such manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-62912. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Rock Content Rock Convert Plugin up to 3.0.1 on WordPress. It has been rated as problematic. Affected is an unknown function. This manipulation causes cross site scripting. This vulnerability appears as CVE-2025-62911. The attack may be initiated remotely. There is no available exploit.

HackerNews 编译，转载请注明出处： 一个恶意YouTube账号网络被曝光，该网络通过发布和推广诱导用户下载恶意软件的视频，滥用了这一视频托管平台的普及度和用户信任来传播恶意负载。 该网络自2021年开始活跃，迄今已发布了超过3000个恶意视频，且自今年年初以来此类视频数量增加了两倍。Check Point将其命名为”YouTube幽灵网络”。谷歌已介入移除了其中大部分视频。 该活动利用被黑客入侵的账号，将其内容替换为以盗版软件和Roblox游戏作弊工具为中心的”恶意”视频，从而感染那些搜索这些内容而不幸中招的用户，使其感染信息窃取程序。其中一些视频的观看量高达数十万次，范围在14.7万到29.3万之间。 “这次行动利用了包括观看量、点赞和评论在内的信任信号，使恶意内容看起来安全，” Check Point 安全研究组经理 Eli Smadja 说。”看似有用的教程，实际上可能是一个精巧的网络陷阱。这个网络的规模、模块化和复杂程度，为威胁行为体如何武器化互动工具来传播恶意软件提供了一个蓝图。” 利用YouTube分发恶意软件并非新现象。多年来，威胁行为体一直被观察到劫持合法频道或使用新创建的账号发布教程式视频，并在描述中提供恶意链接，点击后会导致恶意软件感染。 这些攻击是更广泛趋势的一部分，攻击者将合法平台重新用于邪恶目的，将其变为有效的恶意软件分发渠道。虽然一些活动滥用了与谷歌或必应等搜索引擎相关的合法广告网络，但其他活动则利用GitHub作为传播载体，例如”Stargazers幽灵网络”案例。 “幽灵网络”能够大行其道的主要原因之一是，它们不仅可用于放大所分享链接的感知合法性，而且由于其基于角色的结构，即使在账号被平台所有者封禁或删除后，仍能保持运营连续性。 “这些账号利用各种平台功能，如视频、描述、帖子和评论来推广恶意内容并分发恶意软件，同时制造一种虚假的信任感，”安全研究员 Antonis Terefos 表示。 “该网络大部分由被入侵的YouTube账号组成，这些账号一旦被纳入，就会被分配特定的操作角色。这种基于角色的结构实现了更隐蔽的分发，因为被禁账号可以迅速被替换，而不会中断整体运营。” 具体存在三种类型的账号： 视频账号：上传诱导性视频，并在描述中提供下载所宣传软件的链接（或者，链接以置顶评论的形式分享，或直接在视频中作为安装过程的一部分提供）。 帖子账号：负责发布包含外部网站链接的社区消息和帖子。 互动账号：负责点赞和发布鼓励性评论，为视频披上信任和可信度的外衣。 这些链接将用户引导至各种服务，如MediaFire、Dropbox或Google Drive，或托管在Google Sites、Blogger和Telegraph上的钓鱼页面，这些页面进而包含下载所谓软件的链接。在许多情况下，链接使用URL缩短器进行隐藏以掩盖真实目的地。 通过YouTube幽灵网络分发的一些恶意软件家族包括Lumma Stealer、Rhadamanthys Stealer、StealC Stealer、RedLine Stealer、Phemedrone Stealer以及其他基于Node.js的加载器和下载器： 一个名为 @Sound_Writer（拥有9690名订阅者）的频道，被入侵超过一年，用于上传加密货币软件视频以部署Rhadamanthys。 一个名为 @Afonesio1（拥有12.9万名订阅者）的频道，在2024年12月3日和2025年1月5日被入侵，上传了一个宣传Adobe Photoshop破解版的视频，用于分发一个MSI安装程序，该安装程序会部署Hijack Loader，进而传递Rhadamanthys。 “恶意软件分发方法的持续演变，表明了威胁行为体在绕过传统安全防御方面卓越的适应性和资源丰富性，” Check Point 表示。”对手正越来越多地转向更复杂的、基于平台的策略，最显著的是部署’幽灵网络’。” “这些网络利用合法账号固有的信任以及流行平台的互动机制，来策划大规模、持久且高效的恶意软件活动。”   消息来源：thehackernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in deshine Video Gallery by Huzzaz Plugin up to 10.5 on WordPress. It has been declared as problematic. This impacts an unknown function. The manipulation results in cross site scripting. This vulnerability is reported as CVE-2025-62910. The attack can be launched remotely. No exploit exists.

A vulnerability was found in Thrive Photospace Responsive Plugin up to 2.2.0 on WordPress. It has been classified as problematic. This affects an unknown function. The manipulation leads to cross site scripting. This vulnerability is documented as CVE-2025-62899. The attack can be initiated remotely. There is not any exploit available.

A vulnerability was found in Justin Tadlock Query Posts Plugin up to 0.3.2 on WordPress and classified as problematic. The impacted element is an unknown function. Executing manipulation can lead to cross site scripting. This vulnerability is registered as CVE-2025-62905. It is possible to launch the attack remotely. No exploit is available.

A vulnerability has been found in WeblineIndia Popular Posts Plugin up to 1.1.1 on WordPress and classified as problematic. The affected element is an unknown function. Performing manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2025-62900. It is possible to initiate the attack remotely. There is no exploit available.