XSS Vulnerability Found In ReDi Restaurant Reservation WordPress Plugin
A serious security vulnerability existed in the WordPress plugin ReDi Restaurant Reservation. Specifically, researchers found an XSS vulnerability in the plugin that allowed an adversary to steal sensitive customer data.
Security researcher Bastijn Ouwendijk publicly shared the details of his findings of an XSS vulnerability in ReDi Restaurant Reservation plugin. It’s a popular WordPress plugin helping online businesses in managing reservations. Currently, the plugin boasts over 1000+ active installations. As elaborated in his post, exploiting this bug could allow an attacker to run malicious codes to steal customers’ data. This may include customers’ reservation information without authentication. After uploading the payload to the database, the next step requires loading it onto the webpage. For this, the researcher aimed at the Upcoming Reservation page that displays the reservations for a specific time. The researcher noticed that this webpage actually loaded from an iframe and had a separate source code. That’s where the JavaScript payload executed.
When the https://upcoming.reservationdiary.eu/Entry/[API-key]/ is loaded, and you click on ‘View upcoming reservations’ the JavaScript payload is executed twice. Thus, an attacker may easily pilfer the plugin API key and thus, customers’ data.
How to enjoy Netflix anywhere by beating regional restrictions
Over the years, Netflix has become a trusted name when it comes to streaming the best shows. From horror to romance, from comedy to thriller, from adventure to mystery, you can select any genre and enjoy unlimited entertainment to your heart’s content. The wide selection of the option belonging to different entertainment genres makes Netflix the best streaming service. As Netflix’s hype is increasing, it becomes crucial to know all the tricks and tips related to unblocking unlimited Netflix content. Even though geo-restriction is a nuisance, when it comes to answering how to get American Netflix in Australia or any other country, a VPN can be a lifesaver. It can not only help you protect your online identity but also add to your streaming experience by overcoming the geo-restriction barrier.
The geo-restriction barrier is the bane of the existence of streamers. Though we can agree on the fact that Netflix is better than Disney Plus due to multiple reasons, all of the streaming services, including HBO Max, Netflix, Disney Plus, and Amazon Prime Video, implement the location restriction barrier.
AMT Games data breach: Millions of Users’ Messages, Account IDs, and IP Addresses Exposed
This leak exposed users’ email addresses, IP addresses, Facebook data, and more to potential attack. The leaked data numbers in the millions and was accessible to anyone who possessed the link. There was no need for a password or login credentials to access the information, and the data was not encrypted. The leak has since been secured. AMT Games is a mobile and browser game developer based in China. Its free-to-play mobile game, Battle for the Galaxy, has millions of users in 103 countries, and the app can be found on Android, iPhone, Steam, and its own website as an in-browser game. Our team of ethical hackers discovered an unsecured ElasticSearch server owned by AMT Games which exposed 1.47 TB of data. We tried to reach out to AMT games however we haven’t received a response, and access to the server was later disabled by AMT games. The AMT Games database leaked approximately 5.9 millions player profiles, 2 million transactions, and 587,000 feedback messages. Feedback message data contained Account id, feedback rating given, and users’ email addresses. Transaction data encompassed price, item purchased, time of purchase, payment provider, and in some cases IP address of the buyer. Payment providers included Google, Apple, Steam, Amazon, Samsung, Facebook, and more.
Source — https://securityaffairs.co/wordpress/118529/data-breach/amt-games-data-leak.html
Critical 0day in the Fancy Product Designer WordPress plugin actively exploited
Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021–24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild. Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is currently installed on more than 17,000 websites. Experts pointed out that the vulnerability could be exploited only in certain configurations, but even if the plugin is not active. Attackers are exploiting the flaw to extract order information from site databases, anyway, this vulnerability is likely not being attacked on a large scale. Users could modify their products by uploading images and PDF files, but experts noticed that the checks in place to prevent malicious files from being uploaded are not sufficient and could be easily be bypassed. The flaw has been rated with a CVSS score of 9.8 out of 10, an attacker could exploit the issue to upload executable PHP files to online stores that have the plugin installed.
Wordfence did not disclose technical details on the vulnerability to avoid it could be exploited in the wild, it only shared indicators of compromise (IOCs) for the attacks to allow administrators to prevent the attacks.
Stay Focused. Stay Vigilant.
Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT