Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

January 14, 2023

Saturday

PoC exploits for serious flaws in well-known WordPress plugins have been revealed

Proof-of-concept exploits are now publicly accessible for three well-known WordPress plugins that have high-severity or serious SQL injection vulnerabilities and tens of thousands of active installations.

A website security problem called SQL injection enables attackers to enter data into form fields or through URLs that alter valid database queries so that they produce different results or change a database.

If a website’s code contains a SQL injection vulnerability, an attacker may be able to change or remove data from a site, insert malicious scripts, or even take complete control of the website.

Joshua Martinelle, a security researcher with Tenable, found the three vulnerable plugins and responsibly reported them to WordPress on December 19, 2022. (PoCs).

All issues have been resolved, and individuals using the most recent version are no longer at risk. The plugin writers published security upgrades to address the flaws in the days or weeks that followed.

A membership and subscriptions management tool called “Paid Memberships Pro,” which is utilized by more than 100,000 websites, was discovered to be the first plugin to be vulnerable to SQL injection.

NEWS 1
PoC exploits for serious flaws in well-known WordPress plugins have been revealed

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Hackers have compromised Password Manager accounts, NortonLifeLock says

Customers are receiving data breach warnings from Gen Digital, previously Symantec Corporation and NortonLifeLock, telling them that hackers have successfully infiltrated Norton Password Manager accounts using credential-stuffing assaults.

The attacks, according to a letter sample sent to the Office of the Vermont Attorney General, were the consequence of account penetration on other platforms rather than a breach at the corporation.

More specifically, the notification states that sometime around December 1, 2022, an attacker attempted to access Norton customer accounts using login and password combinations they purchased from the dark web.

On December 12, 2022, the company discovered “an unusually large amount” of unsuccessful login attempts, which indicated a credential stuffing attack in which threat actors test out credentials in mass.

The company’s internal investigation was finished by December 22, 2022, and it showed that the credential-stuffing assaults had successfully compromised an unspecified number of customer accounts.

The notification informs users of the Norton Password Manager function that information kept in private vaults may have been accessed by attackers.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

January 14, 2023 /

Saturday

Hackerzhome News

2

Have you heard?
‘Address Poisoning’ Cryptocurrency Scam: A Fresh Alert From MetaMask Know more!

Beware: EyeSpy surveillance software is being spread by contaminated VPNs

Beware EyeSpy surveillance software is being spread by contaminated VPNs

As part of a malware operation that began in May 2022, contaminated VPN installers are being used to distribute the spying software known as EyeSpy.

According to the Romanian cybersecurity firm, Iran is where the majority of infections are believed to have started, with smaller numbers being found in Germany and the United States.

Images obtained through the Internet Archive show that SecondEye advertises itself as commercial surveillance software that can serve as a “parental control system or as an online watchdog.” It is being sold for anywhere from $99 and $200 as of November 2021.

It has a variety of functions that enable it to harvest files and passwords from online browsers, capture microphones, track keystrokes, and remotely control the devices to execute arbitrary code.

When Blackpoint Cyber announced that unidentified threat actors were using its spyware modules and infrastructure for data and payload storage, SecondEye previously slipped under the radar in August 2022. It is still uncertain what initial access method was employed in these occurrences.

NEWS 3

Cisco Issues Alert for EoL Business Routers' Unpatched Vulnerabilities

Cisco Issues Alert for EoL Business Routers' Unpatched Vulnerabilities
NEWS 4

While acknowledging the public accessibility of the proof-of-concept (POC) attack, Cisco has issued a warning about two security flaws affecting end-of-life (EoL) Small Business RV016, RV042, RV042G, and RV082 routers that the company indicated will not be repaired.

The problems originate from the web-based administration interface of the router, which gives a distant attacker the ability to bypass authentication or run malicious code on the underlying operating system.

The more serious of the two is CVE-2023-20025, which is the result of incorrect user input validation in incoming HTTP packets and has a CVSS score of 9.0.

By sending a specially crafted HTTP request to the susceptible routers’ web-based management interface, a threat actor may use it remotely to overcome authentication and get higher access.

The second weakness, identified as CVE-2023-20026 (CVSS score: 6.5), is also caused by inadequate validation and enables an attacker with legitimate admin credentials to get root-level rights and access restricted data.

The manufacturer of network equipment went on to say that, although being aware of PoC code in the wild, it has not seen any malicious use of the vulnerabilities in actual assaults.

French regulator fines TikTok $5.4 million for breaking cookie laws

After Amazon, Google, Meta, and Microsoft since 2020, the popular short-form video hosting site TikTok has been fined €5 million (about $5.4 million) by the French data protection authorities for violating cookie consent laws.

The regulator claimed to have carried out many audits between May 2020 and June 2022 and discovered that the ByteDance-owned business did not provide an easy way to reject all cookies in lieu of only one click for acceptance. TikTok debuted the “refuse all” cookie option in February 2022.

Although cookie consent banners have grown in popularity since the E.U. General Data Protection Regulation (GDPR) went into effect in May 2018, it has been regularly noted that businesses still utilize unethical dark patterns to coerce users into disclosing additional information.

According to the legislation, websites must wait until users’ express permission is gained before allowing any third-party cookies or trackers, which may be used for behavioral advertising or gathering analytics data.

Additionally, the move comes after CNIL fined Apple for violating the EU ePrivacy Directive by presenting targeted adverts on the App Store without seeking the approval of iPhone customers in iOS 14.6.

French regulator fines TikTok $5.4 million for breaking cookie laws
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: