Introduction
We have two things to discuss today; vulnerabilities and phishing. I am pretty sure that you're not surprised. I mean, we have covered this lots of times and I have lost count. You might it's repetition, but it's not. We cover this topic almost every week and this shows the constant threat that they pose to me, you, and the internet users out there.
Okay. Let's get to it.
WPForms bug allows Stripe refunds on millions of WordPress sites
How many of you will reject free money if you have a way to get it? Be honest. Are you one of them? Well, that's the case in this article. Luckily at the time of writing, there is a patch available.
Here is what happened:
The vulnerability stems from improperly using the function 'wpforms_is_admin_ajax()' to determine if a request is an admin AJAX call.
While this function checks if the request originates from an admin path, it does not enforce capability checks to restrict access based on the user's role or permissions.
This allows any authenticated user, even subscribers, to invoke sensitive AJAX functions like 'ajax_single_payment_refund(),' which executes Stripe refunds, and 'ajax_single_payment_cancel(),' which cancels subscriptions.
Phishing: The Silent Precursor to Data Breaches
If there is anything you can do for your organization, it should be intensive training on how to identify phishing. You'll be glad that you did. Meanwhile, if you think that I am exaggerating, take some minutes of your time and read the article carefully. To get you started, I have an excerpt for you below.
For instance, the Colonial Pipeline cyberattack in 2021 began with a Phishing-related compromise that led to a ransomware attack, disrupting fuel supplies across the U.S. and exposing critical infrastructure vulnerabilities.
Critical WordPress plugin vulnerability under active exploit threatens thousands
It's another week, and we're talking about another WordPress plugin vulnerability (in addition to the first reviewed article, make it two). Sometimes, I get tired of writing about them, but I have to. You have to know the threats that are out there. Moreover, WordPress has a large user-base and you could be considering it for your next website project.
Here is what happened with the plugin in question:
...the initial vector was CVE-2024-11972. The exploit allowed the hackers behind the attack to cause vulnerable sites to automatically navigate to wordpress.org and download WP Query Console, a plugin that hasn’t been updated in years.
The attackers then exploited a vulnerability in the latter plugin that allowed them to execute malicious code. The WP Query Console vulnerability, tracked as CVE-2024-50498, carries a severity score of 10 and remains unpatched.
Microsoft MFA Bypassed via AuthQuake Attack
It sends shivers down my spine when I read articles like this one. I mean, an MFA bypass? What protection remains if attackers successfully bypass MFA? The good news is that, according to the article, Microsoft released a permanent fix in October 2024.
But before that, here is what happened:
According to Oasis, the vulnerability, which is described as critical, could have allowed threat actors to bypass Microsoft’s MFA and gain access to accounts — provided that they had the target’s username and password.
Oasis said the AuthQuake bypass method was dangerous because it only took (on average) an hour to execute, it required no user interaction, and it would not trigger any notification to the victim.
Researchers find security flaws in Skoda cars that may let hackers remotely track them
That moment when you want to live off-the-grid but your car allows you to be tracked. I know. So disappointing. The excerpt below is a quick summary of the vulnerability.
The vulnerabilities, discovered in the vehicle’s MIB3 infotainment unit, could allow attackers to achieve unrestricted code execution and run malicious code every time the unit starts.
This could let an attacker obtain live vehicle GPS coordinates and speed data, record conversations via the in-car microphone, take screenshots of the infotainment display, and play arbitrary sounds in the car
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)