HackDig : Dig high-quality web security articles for hackers

Critical flaws in Orbit Fox WordPress plugin allows site takeover

Two vulnerabilities in the Orbit Fox WordPress plugin, a privilege-escalation issue and a stored XSS bug, can allow site takeover. Security experts from Wordfence have discovered two security vulnerabilities in the Orbit Fox WordPress plugin. The flaws are a privilege-escalation vulnerability and a stored XSS bug that impacts over 40,000 installs. The
Publish At:2021-01-17 10:36 | Read:206 | Comments:0 | Tags:Breaking News Hacking hacking news information security news

WordPress Plugin W3 Total Cache Unauthenticated Arbitrary File Read (Metasploit)

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HTTP::Wordpressinclude Msf::Auxiliary::Scannerdef initialize(info = {})super(update_info(info,'Name' => '
Publish At:2021-01-06 12:21 | Read:199 | Comments:0 | Tags: wordpress

WordPress Duplicator 1.3.26 Directory Traversal / File Read

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info,
Publish At:2021-01-03 14:09 | Read:221 | Comments:0 | Tags: wordpress

WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload

# Exploit Title: WordPress Plugin Adning Advertising 1.5.5 - Arbitrary File Upload# Google Dork: inurl:/wp-content/plugins/angwp# Date: 23/12/2020# Exploit Author: bilal# Tested on: Linux parrot amd64import os.pathfrom os import pathimport jsonimport requests;import sysdef print_banner():print("Adning Advertising < 1.5.6 - Arbitrary File Upload"
Publish At:2020-12-28 16:35 | Read:249 | Comments:0 | Tags: wordpress

WordPress Plugin W3 Total Cache - Unauthenticated Arbitrary File Read (Metasploit)

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Auxiliaryinclude Msf::Auxiliary::Reportinclude Msf::Exploit::Remote::HTTP::Wordpressinclude Msf::Auxiliary::Scannerdef initialize(info = {})super(update_info(info,'Name' => '
Publish At:2020-12-23 16:51 | Read:252 | Comments:0 | Tags: wordpress

WordPress Yet Another Stars Rating PHP Object Injection

class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress PHP Object Injection in Yet Another Stars Ratin
Publish At:2020-12-20 14:45 | Read:364 | Comments:0 | Tags: wordpress

Wordpress Plugin Duplicator 1.3.26 Unauthenticated Arbitrary File Read (Metasploit)

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info,
Publish At:2020-12-18 12:03 | Read:215 | Comments:0 | Tags: wordpress

5 million WordPress sites potentially impacted by a Contact Form 7 flaw

The development team behind the Contact Form 7 WordPress plugin discloses an unrestricted file upload vulnerability. Jinson Varghese Behanan from Astra Security discovered an unrestricted file upload vulnerability in the popular Contact Form 7 WordPress vulnerability. The WordPress plugin allows users to add multiple contact forms on their site.  ̶
Publish At:2020-12-17 17:30 | Read:194 | Comments:0 | Tags:Breaking News Hacking Contact Form 7 information security ne

WordPress plugin with 5 million installs has a critical vulnerability

The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.Unrestricted file uploadThis week, Contact Form 7 project has disclo
Publish At:2020-12-17 13:55 | Read:249 | Comments:0 | Tags:Security Technology Vulnerability wordpress

WordPress Easy WP SMTP zero-day potentially exposes hundreds of thousands of sites to hack

Threat actors are actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin installed on more than 500,000 sites. Hackers are actively exploiting a zero-day vulnerability in the popular Easy WP SMTP WordPress plugin to reset passwords for admin accounts. The SMTP WordPress plugin is installed on more than 500,000 sites,
Publish At:2020-12-12 08:48 | Read:195 | Comments:0 | Tags:Breaking News Hacking information security news IT Informati

Reflected XSS in WordPress - DirectoriesPro 1.3.45 plugin disclosure

Title: Reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29303 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor2020-11-27 Vendor releases patched ve
Publish At:2020-12-11 17:15 | Read:150 | Comments:0 | Tags: Xss wordpress

Self-reflected XSS in WordPress DirectoriesPro 1.3.45 plugin disclosure.

Title: Self-reflected XSS Product: WordPress DirectoriesPro Plugin by SabaiApps Vendor Homepage: https://directoriespro.com/ Vulnerable Version: 1.3.45 Fixed Version: 1.3.46 CVE Number: CVE-2020-29304 Author: Jack Misiura from The Missing Link Website: https://www.themissinglink.com.au Timeline: 2020-11-26 Disclosed to Vendor2020-11-27 Vendor releases patch
Publish At:2020-12-11 17:15 | Read:130 | Comments:0 | Tags: Xss wordpress

WordPress Simple File List Unauthenticated Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper def initialize(info = {}) supe
Publish At:2020-11-25 21:57 | Read:261 | Comments:0 | Tags: wordpress

Large-scale campaign targets vulnerable Epsilon Framework WordPress themes

Hackers are scanning the Internet for WordPress websites with Epsilon Framework themes installed to launch Function Injection attacks. Experts at the Wordfence Threat Intelligence team uncovered a large-scale wave of attacks targeting reported Function Injection vulnerabilities in themes using the Epsilon Framework. Below a list of themes and related v
Publish At:2020-11-18 04:13 | Read:365 | Comments:0 | Tags:Breaking News Hacking Epsilon Framework information security

Hackers are actively probing millions of WordPress sites

Unknown threat actors are scanning for WordPress websites with Epsilon Framework themes installed on over 150,000 sites and vulnerable to Function Injection attacks that could lead to full site takeovers."So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from o
Publish At:2020-11-17 20:13 | Read:349 | Comments:0 | Tags:Security wordpress hack

Tools

Tag Cloud