Aggregator

A vulnerability classified as problematic has been found in Mailchimp List Subscribe Form Plugin up to 2.0.0 on WordPress. This vulnerability affects the function mailchimp_sf_change_list_if_necessary. Performing a manipulation results in cross-site request forgery. This vulnerability is cataloged as CVE-2025-12172. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as problematic has been identified in Aruba HiSpeed Cache Plugin up to 3.0.2 on WordPress. This affects an unknown part. Such manipulation of the argument dbstatus leads to cross site scripting. This vulnerability is listed as CVE-2025-11706. The attack may be performed from remote. There is no available exploit.

A vulnerability marked as critical has been reported in Printful Integration for WooCommerce Plugin up to 2.2.11 on WordPress. Affected by this issue is the function download_url of the component REST API Endpoint. This manipulation causes server-side request forgery. This vulnerability is tracked as CVE-2025-12375. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as critical has been found in Printful Integration for WooCommerce Plugin up to 2.2.11 on WordPress. Affected by this vulnerability is the function download_url of the component REST API Endpoint. The manipulation results in server-side request forgery. This vulnerability is identified as CVE-2025-12375. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in Renden Plugin up to 1.8.1 on WordPress. Affected is an unknown function of the component Post Title Handler. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-12117. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability categorized as problematic has been discovered in accessiBe Web Accessibility Plugin up to 2.11 on WordPress. This impacts the function accessibe_render_js_in_footer. Executing a manipulation can lead to information disclosure. The identification of this vulnerability is CVE-2025-13113. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Tablesome Table Plugin up to 0.5.4/1.2.1 on WordPress. It has been rated as critical. This affects the function get_table_data. Performing a manipulation results in missing authorization. This vulnerability was named CVE-2025-12845. The attack may be initiated remotely. There is no available exploit.

A vulnerability was found in Advanced Ads Plugin up to 2.0.14 on WordPress. It has been declared as problematic. The impacted element is the function placement_update_item. Such manipulation leads to missing authorization. This vulnerability is uniquely identified as CVE-2025-12884. The attack can be launched remotely. No exploit exists.

Prompt Security from SentinelOne turns hidden agent activity into clear, actionable governance intelligence with the release of OneClaw.

Глава Лиги безопасного интернета вступилась за разработчиков Linux.

烧香祈福求顺遂 🙏 心诚则灵好运连 🕊️

Cryptojacking campaign used pirated software to deploy a persistent XMRig miner with stealth tactics

A former federal election official says the FBI's affidavit justifying last month's Fulton County raid misrepresented basic election facts, despite the agency's claims having already been investigated and debunked by Georgia officials. 

The post Fulton County lawsuit claims feds used ‘gross mischaracterizations’ to justify raid appeared first on CyberScoop.

今日暂未更新资讯~
更多最新文章，请访问SecWiki

A vulnerability classified as very critical has been found in Ksenia Lares 4.0 Home Automation 1.6. This affects an unknown part of the component XML File Parser. This manipulation causes exposure of file descriptor to unintended control sphere ('file descriptor leak'). This vulnerability is handled as CVE-2025-15114. The attack can be initiated remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in catdoc 0.95. Affected is an unknown function of the component OLE Document DIFAT Parser. This manipulation causes integer underflow. This vulnerability is tracked as CVE-2024-54028. The attack is restricted to local execution. No exploit exists.

在你点击邮件的日程邀请的「接受」按钮前，务必三思, 这很可能是一场钓鱼骗局，近期有攻击者通过伪造微软与谷歌日程邀请，钓鱼定向窃取用户的登录凭证。 这类钓鱼邀约的伪装手段愈发精密，往往会高度复刻微软、谷歌等知名平台的官方界面样式，极具迷惑性。 攻击者盯上了商务场景中高频出现的日程会议邀约类邮件，通过仿冒用户的日常工作行为，诱导企业员工输入登录凭证。最常见的攻击形式，就是一封看似毫无风险的伪造会议邀请，正因为这类邮件是员工的日常工作内容，绝大多数人都会不假思索地点击操作。 如图1所示，在该攻击案例中，攻击者制作了一个高度复刻 Outlook 官方样式的按钮，以此误导用户，提升钓鱼攻击的成功率。攻击者通过使用用户熟悉的品牌配色，伪造带有紧急属性的日历邀请，让邮件看起来极具真实感。高度还原的配色极具迷惑性，能大幅提升邮件的视觉可信度，一旦吸引了目标用户的注意，用户就很可能因为按钮与官方样式完全一致，而不假思索地点击。 用户点击按钮后，会被重定向至钓鱼页面，页面会展示一个与微软官方登录界面高度相似的伪造页面（见图2）。但只要仔细核查页面 URL 就能发现，该网站的域名与微软官方登录页面完全不符，并非微软官方站点。用户一旦在该登录页面输入账号凭证，就意味着钓鱼攻击成功，用户的登录信息会在毫不知情的情况下被攻击者窃取。

Зашифрованные чаты не спасли от внезапного визита спецназа.