Infosecurity News
Fake Online Stores Scam Over 850,000 Shoppers
Researchers discover 75,000+ domains hosting fraudulent e-commerce sites, in a campaign dubbed BogusBazaar
Bleeping Computer
Massive webshop fraud ring steals credit cards from 850,000 people
A massive network of 75,000 fake online shops called 'BogusBazaar' tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders.
The Hacker News
Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker
E-commerce website owners and admins – BEWARE! Reseachers uncover a credit card skimmer hidden within a bogus Meta Pixel tracker script.
%20(1).webp)
Cyber Security News
WordPress Security : XSS Remains as the Most Vulnerability Exploited
Of all the security flaws discovered in the WordPress ecosystem, XSS vulnerabilities accounted for about 53.3% of the total.
The Cyber Express
Millions of WordPress Sites at Risk Due to Essential Addons for Elementor Vulnerability
A new Essential Addons For Elementor vulnerability has been revealed, affecting over 2 million websites utilizing the popular WordPress plugin.
The Cyber Express
WordPress Admin Authentication Bypass Exploit Allegedly Offered for Sale at $100,000
An anonymous threat actor on dark web has allegedly announced a vulnerability in WordPress, offering what they termed as a
Infosecurity News
Backup Migration WordPress Plugin Flaw Impacts 90,000 Sites
Users of popular WordPress plugin Backup Migration are urged to patch a new critical vulnerability
Infosecurity News
Vulnerability Exposed in WordPress Plugin User Submitted Posts
With over 20,000 active installations, the plugin is used for user-generated content submissions
Infosecurity News
Magecart Hackers Hide in 404 Error Pages
Akamai spots new digital skimming campaign
The Hacker News
New Magecart Campaign Alters 404 Error Pages to Steal Shoppers' Credit Cards
Beware of the latest Magecart attack! Attackers are now hiding malicious code on 404 error pages to steal your data.
Bleeping Computer
Hackers use malicious 404 error pages to steal credit cards
A new Magecart card skimming campaign hijacks the 404 error pages of online retailer's websites, hiding malicious code to steal customers' credit card information.
Bleeping Computer
Hackers modify online stores’ 404 pages to steal credit cards
A new Magecart card skimming campaign hijacks the 404 error pages of online retailer's websites, hiding malicious code to steal customers' credit card information.
SecurityWeek
Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks
A vulnerability in the All-in-One WP Migration plugin’s extensions exposes WordPress websites to attacks, but patch is available
Infosecurity News
Flaw Exposes WP Migration Plugin to Hacks
The vulnerable code was identified by the security research team at PatchStack
Bleeping Computer
Jupiter X Core WordPress plugin could let hackers hijack sites
Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication.
Infosecurity News
Cybersecurity Study Reveals Web App Vulnerability Crisis
Latest CyCognito report exposes 74% PII vulnerability, prompting urgent data protection
Infosecurity News
Scammers Exploit Hacked Websites For Phishing
Kaspersky explained one common strategy is the hacking of abandoned or poorly maintained websites
Infosecurity News
Multiple Flaws Found in the Avada WordPress Theme and Plugin
The security flaws were uncovered by Patchstack security researcher Rafie Muhammad
Ars Technica
How we host Ars, the finale and the 64-bit future
We wrap up our four-part series by tying up loose ends and looking ahead.
Infosecurity News
High Severity Vulnerabilities Discovered in Ninja Forms Plugin
The popular forms builder plugin for WordPress has over 900,000 active installations
Security Affairs
Security Affairs newsletter Round 429 by Pierluigi Paganini – International edition
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Multiple DDoS botnets were observed targeting Zyxel devices CISA warns of attacks against Citrix NetScaler ADC […]
Latest Hacking News
WooCommerce Payments WP Plugin Flaw Goes Under Active Attack
Months after releasing the patch, hackers are still exploiting the security flaw in WooCommerce Payments WordPress plugin. The researchers have found the vulnerability under active attack, urging WordPress admins to update their websites with the
The Hacker News
Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
Critical security flaw in Citrix NetScaler ADC and Gateway being actively exploited! CVE-2023-3519 allows unauthenticated remote code execution.
DarkReading
Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw
A barrage of targeted attacks against vulnerable installations peaked at 1.3 million against 157,000 sites over the weekend, aimed at unauthenticated code execution.
SecurityWeek
WordPress Sites Hacked via Critical Vulnerability in WooCommerce Payments Plugin
Attackers have started exploiting CVE-2023-28121, a recent critical vulnerability in the WooCommerce Payments WordPress plugin.
Security Affairs
Hacking campaign targets sites using WordPress WooCommerce Payments Plugin
Threat actors are actively exploiting a critical flaw, tracked as CVE-2023-28121, in the WooCommerce Payments WordPress plugin. Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2023-28121 (CVSS score: 9.8), in the WooCommerce Payments WordPress plugin. The flaw is an authentication bypass issue that can be exploited by an unauthenticated attacker to impersonate arbitrary […]
Infosecurity News
WooCommerce Bug Exploited in Targeted WordPress Attacks
Wordfence claims over 157,000 sites have been hit so far
Cyber Security News
Massive Exploit Against WooCommerce Payments Underway Bug on 600,000 Websites
Hackers actively target vulnerable WordPress websites in an effort to take advantage of a widespread WooCommerce Payments plugin vulnerability and gain admin rights.
The Hacker News
Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
A critical security flaw in the WooCommerce Payments WordPress plugin (CVE-2023-28121) is being actively exploited by threat actors.
Bleeping Computer
Hackers exploiting critical WordPress WooCommerce Payments bug
Hackers are conducting widespread exploitation of a critical WooCommerce Payments plugin to gain the privileges of any users, including administrators, on vulnerable WordPress installation.
The Hacker News
Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam
In the digital warfare against website spam, automation is your ally. Discover CleanTalk Anti-Spam solution for WordPress - a tool designed for precis
The Hacker News
Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
Attention online retailers! A critical security flaw in the "Abandoned Cart Lite for WooCommerce" plugin puts over 30,000 websites at risk.
Bleeping Computer
iOttie discloses data breach after site hacked to steal credit cards
Car mount and mobile accessory maker iOttie warns that its site was compromised for almost two months to steal online shoppers' credit cards and personal information.
Latest Hacking News
Stripe Payment Gateway Plugin Patched Serious IDOR Flaw
A critical security flaw in the WooCommerce plugin Stripe Payment Gateway risked users’ safety. Exploiting the vulnerability could allow an attacker to pilfer the payments directly from the platform and steal other sensitive information. The
Security Affairs
Security Affairs newsletter Round 424 by Pierluigi Paganini – International edition
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Law enforcement shutdown a long-standing DDoS-for-hire service A Russian national charged for committing LockBit Ransomware attacks […]
.webp)
Cyber Security News
Critical Vulnerability in Wordpress Stripe Payment Plugin Exposes Customer Data
The Wordpress Stripe Payment Gateway plugin has been vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability.
Infosecurity News
PII Exposed: Unauthenticated IDOR in WooCommerce Stripe Plugin
The vulnerability affects versions 7.4.0 and below of the WordPress plugin
Security Affairs
Critical flaw found in WooCommerce Stripe Gateway Plugin used by +900K sites
Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin. The WooCommerce Stripe Payment Gateway plugin is affected by a critical vulnerability tracked as CVE-2023-34000. The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their […]
Security Affairs
Unveiling the Balada injector: a malware epidemic in WordPress
Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion. A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions. In April 2023, Bleeping […]
The Hacker News
Critical Security Vulnerability Discovered in WooCommerce Stripe Gateway Plugin
A critical flaw has been discovered in the WooCommerce Stripe Gateway WordPress plugin, potentially exposing sensitive information.
Bleeping Computer
WordPress Stripe payment plugin bug leaks customer order details
The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin.
DarkReading
Researchers Spot a Different Kind of Magecart Card-Skimming Campaign
In addition to injecting a card skimmer into target Magento, WooCommerce, Shopify, and WordPress sites, the the threat actor is also hijacking targeted domains to deliver the malware to other sites.
Cyber Security News
Hackers Inject Shell Scripts into eCommerce Sites to Steal Credit Card Data
Hackers execute a Magecart attack by breaching online stores and implanting malicious scripts designed to stealthily harvest the customers' credit card details
Security Affairs
Magecart campaign abuses legitimate sites to host web skimmers and act as C2
A new ongoing Magecart web skimmer campaign abuse legitimate websites to act as makeshift command and control (C2) servers. Akamai researchers discovered a new ongoing Magecart web skimmer campaign aimed at stealing personally identifiable information (PII) and credit card information from users in North America, Latin America, and Europe. Magecart attacks target e-commerce websites, the […]
The Hacker News
Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack
🚨 Attention online shoppers! Beware of the insidious Magecart-style web skimmer campaign sweeping across e-commerce websites!
Bleeping Computer
Hackers hijack legitimate sites to host credit card stealer scripts
A new Magecart credit card stealing campaign hijacks legitimate sites to act as "makeshift" command and control (C2) servers to inject and hide the skimmers on targeted eCommerce sites.
Latest Hacking News
Severe Elementor Pro WP Plugin Vulnerability Actively Exploited
A serious vulnerability existed in the popular WordPress plugin Elementor Pro that could allow website takeovers. Even worse, the vulnerability went under attack soon after gaining traction, requiring WP admins to install the bug fixes
Cyber Security News
Hackers Exploiting WordPress Plugin with Over 11M Installs
Most popular WordPress plugins, Elementor Pro, used by over eleven million websites, is vulnerable to a high-severity vulnerability.
The Hacker News
Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!
A recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress is being exploited.
Ars Technica
Hackers exploit WordPress plugin flaw that gives full control of millions of sites
Elementor Pro fixed the vulnerability, but not everyone has installed the patch.
Security Affairs
Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin
Threat actors are actively exploiting a high-severity flaw in the Elementor Pro WordPress plugin used by more than eleven million websites WordPress security firm PatchStack warns of a high-severity vulnerability in the Elementor Pro WordPress plugin that is currently being exploited by threat actors in the wild. Elementor Pro is a paid plugin that is currently installed on […]
Bleeping Computer
Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs
Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.
Naked Security
S3 Ep128: So you want to be a cybercriminal? [Audio + Text]
Latest episode – listen now!
Latest Hacking News
Critical Vulnerability Fixed In WooCommerce Payments WordPress Plugin
A serious authentication vulnerability existed in the WordPress plugin WooCommerce Payments, exploiting which could allow rogue access to admin privileges. The plugin developers patched the vulnerability, making WordPress force install plugin updates. WooCommerce Payments Plugin Vulnerability
Security Affairs
Security Affairs newsletter Round 412 by Pierluigi Paganini – International edition
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites Pwn2Own Vancouver 2023 awarded $1,035,000 and […]
Naked Security
WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!
Admin-level holes in websites are always a bad thing… and for “bad”, read “worse” if it’s an e-commerce site.
CSO
Critical flaw in WooCommerce can be used to compromise WordPress websites
The vulnerability could allow unauthenticated administrative takeover of websites. WooCommerce has released an update.
Infosecurity News
WooCommerce Patches Critical Plugin Flaw Affecting Half a Million Sites
The vulnerability could allow an unauthenticated attacker to gain admin privileges and take over a website
Security Affairs
Critical flaw in WooCommerce Payments plugin allows site takeover
A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites. On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2. The WooCommerce Payments plugin is a fully integrated […]
The Hacker News
Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites
Critical security flaw found in WooCommerce Payments plugin for WordPress, affecting 500K+ websites! Update to patched versions ASAP.
Bleeping Computer
WordPress force patching WooCommerce plugin with 500K installs
Automattic, the company behind the WordPress content management system, is force installing a security update on hundreds of thousands of websites running the highly popular WooCommerce Payments for online stores.
Bleeping Computer
Hackers inject credit card stealers into payment processing modules
A new credit card stealing hacking campaign is doing things differently than we have seen in the past by hiding their malicious code inside the 'Authorize.net' payment gateway module for WooCommcerce, allowing the breach to evade detection by security scans.
Security Affairs
Companies impacted by Mailchimp data breach warn their customers
The recent Mailchimp data breach has impacted multiple organizations, some of them are already notifying their customers. The popular email marketing and newsletter platform Mailchimp recently disclosed a news data breach, the incident exposed the data of 133 customers. Threat actors targeted the company’s employees and contractors to gain access to an internal support and […]
SecurityWeek
Companies Impacted by Recent Mailchimp Breach Start Notifying Customers
Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and Solana Foundation.
Security Affairs
Mailchimp discloses a new security breach, the second one in 6 months
Popular email marketing and newsletter platform Mailchimp was hacked and the data of dozens of customers were exposed. The popular email marketing and newsletter platform Mailchimp was hacked twice in the past six months. The news of a new security breach was confirmed by the company, the incident exposed the data of 133 customers. Threat […]
The Hacker News
Mailchimp Suffers Another Security Breach Compromising Some Customers' Information
Another security breach has hit the popular email marketing service Mailchimp, compromising over 100 customers' information
CyberSecurity Dive
Mailchimp hit by second cyberattack in 6 months, 133 customers impacted
The social engineering incident is similar to an August cyberattack that targeted customers in the crypto industry.
Bleeping Computer
MailChimp discloses new breach after employees got hacked
Email marketing firm MailChimp suffered another breach after hackers accessed an internal customer support and account administration tool, allowing the threat actors to access the data of 133 customers.
Latest Hacking News
Linux Malware Exploits 30 Vulnerabilities To Target WordPress Websites
Heads up, WordPress admins! Researchers have warned users of a new Linux malware that targets WordPress websites with malicious JavaScript. The malware exploits 30 vulnerabilities in different WordPress themes and plugins to accomplish the goal. Linux
Ars Technica
Hundreds of WordPress sites infected by recently discovered backdoor
People who use WordPress should check their sites for unpatched plugins.
The Hacker News
WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws
A new strain of Linux malware is targeting WordPress sites, taking advantage of vulnerabilities in various plugins and themes to infiltrate.
Security Affairs
New Linux malware targets WordPress sites by exploiting 30 bugs
A new Linux malware has been exploiting 30 vulnerabilities in outdated WordPress plugins and themes to deploy malicious JavaScripts. Doctor Web researchers discovered a Linux malware, tracked as Linux.BackDoor.WordPressExploit.1, that compromises WordPress websites by exploiting 30 vulnerabilities in multiple outdated plugins and themes. The malware injects into targeted webpages malicious JavaScripts, then when users click on the compromised […]
Bleeping Computer
New Linux malware uses 30 plugin exploits to backdoor WordPress sites
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
SecurityWeek
Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks
A critical vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin is exploited in attacks.
Security Affairs
Experts warn of attacks exploiting WordPress gift card plugin
Threat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to […]
Security Affairs
Experts warn of attacks exploiting WordPress gift card plugin
Threat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to […]
Bleeping Computer
Hackers exploit bug in WordPress gift card plugin with 50K installs
Hackers are actively targeting a critical flaw in YITH WooCommerce Gift Cards Premium, a WordPress plugin used on over 50,000 websites.
The Hacker News
What Developers Need to Fight the Battle Against Common Vulnerabilities
Coding best practices have continued to evolve over the years, in response to business needs and market trends.
The Hacker News
Magecart Hacks Food Ordering Systems to Steal Payment Data from Over 300 Restaurants
Magecart hackers took over three restaurant ordering platforms, MenuDrive, Harbortouch, and InTouchPOS, and stole more than 50,000 payment card record
CyberScoop
For Magecart groups and other credit-card skimmers, old and new opportunities abound
The entry points for Magecart and other e-commerce skimmers are changing, but the attackers are getting more clever, too.
Bleeping Computer
Nearly 30% of critical WordPress plugin bugs don't get a patch
Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture.
ThreatPost
Segway Hit by Magecart Attack Hiding in a Favicon
Visitors who shopped on the company's eCommerce website in January will likely find their payment-card data heisted, researchers warned.
ThreatPost
AdSanity, AccessPress Plugins Open Scads of WordPress Sites to Takeover
A critical security bug and a months-long, ongoing supply-chain attack spell trouble for WordPress users.
ThreatPost
20K WordPress Sites Exposed by Insecure Plugin REST-API
The WordPress WP HTML Mail plugin for personalized emails is vulnerable to code injection and phishing due to XSS.
DataBreaches
WordPress plugin flaw puts users of 20,000 sites at phishing risk
Bill Toulas reports: The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection...
Bleeping Computer
WordPress plugin flaw puts users of 20,000 sites at phishing risk
The WordPress WP HTML Mail plugin, installed in over 20,000 sites, is vulnerable to a high-severity flaw that can lead to code injection and the distribution of convincing phishing emails.
Trend Micro
Defending Users’ NAS Devices From Evolving Threats
In our latest research, we analyze the threats targeting well-known brands of network-attached storage (NAS) devices.
ThreatPost
Three Plugins with Same Bug Put 84K WordPress Sites at Risk
Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.
ThreatPost
All in One SEO Plugin Bug Threatens 3M Websites with Takeovers
A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.
Latest Hacking News
WooCommerce Credit Card Stealer Found Implanted in Random Plugins
Hackers behind the new campaigns steal card details after infecting WordPress plugins running on e-commerce stores.
Bleeping Computer
Hackers infect random WordPress plugins to steal credit cards
Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details.
The Record
Web skimmers hit 300+ sites hidden inside Google Tag Manager containers
Threat actors have abused a legitimate feature of the Google Tag Manager service to secretly add and deploy malicious JavaScript code to more than 300 e-commerce stores since March this year.
ThreatPost
80K Retail WooCommerce Sites Exposed by Plugin XSS Bug
The Variation Swatches plugin security flaw lets attackers with low-level permissions tweak important settings on e-commerce sites to inject malicious scripts.
The DFIR Report
Cobalt Strike, a Defender's Guide
As you have noticed from our reporting so far, Cobalt Strike is used as a post-exploitation tool with various malware droppers responsible for the initial infection stage. Some of the most common droppers we see are IcedID (a.k.a. BokBot), ZLoader, Qbot (a.k.a. QakBot), Ursnif, Hancitor, Bazar and TrickBot.
Bleeping Computer
WooCommerce fixes vulnerability exposing 5 million sites to data theft
WooCommerce, the popular e-commerce plugin for the WordPress content management system has been updated to patch a serious vulnerability that could be exploited without authentication.
Bleeping Computer
Critical WordPress plugin zero-day under active exploitation
Threat actors are scanning for sites running the Fancy Product Designer plug-in to exploit a zero-day bug allowing them to upload malware.