Aggregator

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js." The

A vulnerability marked as problematic has been reported in WP Directory Kit Plugin up to 1.4.5 on WordPress. Affected by this issue is some unknown functionality. This manipulation of the argument order_by causes cross site scripting. This vulnerability is handled as CVE-2025-13525. The attack can be initiated remotely. There is not any exploit available.

A vulnerability labeled as problematic has been found in StaffList Plugin up to 3.2.6 on WordPress. Affected by this vulnerability is an unknown functionality of the component Admin Setting Handler. The manipulation results in cross site scripting. This vulnerability is known as CVE-2025-12185. It is possible to launch the attack remotely. No exploit is available.

A vulnerability identified as problematic has been detected in Simple Folio Plugin up to 1.1.0 on WordPress. Affected is an unknown function. The manipulation of the argument portfolio_name leads to cross site scripting. This vulnerability is traded as CVE-2025-12151. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability categorized as problematic has been discovered in Poll, Survey & Quiz Maker Plugin by Opinion Stage Plugin up to 19.12.0 on WordPress. This impacts the function disconnect_account_action. Executing manipulation can lead to cross-site request forgery. This vulnerability appears as CVE-2025-13143. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in Customer Reviews Collector for WooCommerce Plugin up to 4.6.1 on WordPress. It has been rated as problematic. This affects an unknown function. Performing manipulation of the argument text results in cross site scripting. This vulnerability is reported as CVE-2025-12123. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability was found in Tiare Membership Plugin up to 1.2 on WordPress. It has been declared as critical. The impacted element is the function tiare_membership_init_rest_api_register. Such manipulation leads to improper privilege management. This vulnerability is documented as CVE-2025-13540. The attack can be executed remotely. There is not any exploit available.

A vulnerability was found in SKT PayPal for WooCommerce Plugin up to 1.4 on WordPress. It has been classified as critical. The affected element is an unknown function of the component Payment Handler. This manipulation causes client-side enforcement of server-side security. This vulnerability is registered as CVE-2025-7820. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in Tiger Plugin up to 101.2.1 on WordPress and classified as critical. Impacted is an unknown function of the file paypal-submit.php. The manipulation results in improper privilege management. This vulnerability is cataloged as CVE-2025-13675. The attack may be launched remotely. There is no exploit available.

ASUS назвала целых девять причин, чтобы как можно скорее обновить прошивку.

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Heart Mountain’ appeared first on Security Boulevard.

Submit #672226 / VDB-329026

Instead of a duty of care, the KOSA draft includes language saying that platforms must establish and maintain “reasonable policies, practices, and procedures” that address harms to minors, including threats of physical violence, sexual exploitation and drug sales.

A vulnerability has been found in OpenCode USSD Gateway OC 6.13.11 and classified as critical. This issue affects the function getSubUsersByProvider. The manipulation of the argument ID leads to sql injection. This vulnerability is listed as CVE-2025-65235. The attack may be initiated remotely. There is no available exploit.