{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unauthenticated/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41471"}],"_cs_exploited":false,"_cs_products":["Easy PayPal Events \u0026 Tickets plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","info-disclosure","cve-2026-41471","unauthenticated","enumeration"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Easy PayPal Events \u0026amp; Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events \u0026amp; Tickets plugin (version 1.3 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the request to iterate through sequential WordPress post IDs.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint queries the WordPress database for order records associated with the provided post ID.\u003c/li\u003e\n\u003cli\u003eIf a valid order record is found, the server returns the information in the HTTP response.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the HTTP response to extract customer order information.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eIf still using the Easy PayPal Events \u0026amp; Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eReview the WordPress access logs for requests originating from unusual IP addresses accessing the \u003ccode\u003escan_qr.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:29Z","date_published":"2026-05-04T18:16:29Z","id":"/briefs/2026-05-wordpress-easy-paypal-info-disclosure/","summary":"An information disclosure vulnerability in the Easy PayPal Events \u0026 Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.","title":"WordPress Easy PayPal Events \u0026 Tickets Plugin Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-easy-paypal-info-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22679"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["weaver","e-cology","rce","unauthenticated","cve-2026-22679"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWeaver (Fanwei) E-cology is susceptible to an unauthenticated remote code execution (RCE) vulnerability affecting version 10.0 prior to 20260312. The vulnerability exists in the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint, stemming from exposed debug functionality. Exploitation allows unauthenticated attackers to execute arbitrary commands on the underlying system. The attack involves crafting malicious POST requests with attacker-controlled \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters. Shadowserver Foundation observed initial exploitation attempts on 2026-03-31 (UTC). Due to the ease of exploitation and lack of authentication requirement, this vulnerability presents a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Weaver E-cology 10.0 instance running a version prior to 20260312.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters, which are set to values designed to invoke command execution helpers.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without authentication due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe application invokes the specified \u003ccode\u003emethodName\u003c/code\u003e within the \u003ccode\u003einterfaceName\u003c/code\u003e, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled code executes commands on the server, such as establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the server.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, potentially leading to data exfiltration, system compromise, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected Weaver E-cology 10.0 server. This can lead to full system compromise, data exfiltration, and disruption of services. Given the critical nature of systems often managed by E-cology, this could have significant business impact, leading to financial losses, reputational damage, and legal liabilities. There is currently no public information on the number of victims or specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Weaver E-cology 10.0 installations to a version equal to or greater than 20260312 to patch CVE-2026-22679.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Weaver E-cology Dubbo API Exploitation Attempt\u0026rdquo; to detect exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/papi/esearch/data/devops/dubboApi/debug/method\u003c/code\u003e endpoint with suspicious \u003ccode\u003einterfaceName\u003c/code\u003e and \u003ccode\u003emethodName\u003c/code\u003e parameters (see logsource details in the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T13:16:45Z","date_published":"2026-04-07T13:16:45Z","id":"/briefs/2024-01-weaver-rce/","summary":"Weaver E-cology 10.0 before 20260312 is vulnerable to unauthenticated remote code execution, allowing attackers to execute arbitrary commands by crafting a POST request to the /papi/esearch/data/devops/dubboApi/debug/method endpoint.","title":"Weaver E-cology Unauthenticated RCE via Dubbo API Debug Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5324"}],"_cs_exploited":false,"_cs_products":["Brizy – Page Builder plugin \u003c= 2.8.11"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","unauthenticated"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form\u0026rsquo;s \u0026ldquo;Leads\u0026rdquo; page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the \u003ccode\u003esubmit_form()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleFileTypeFields()\u003c/code\u003e function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.\u003c/li\u003e\n\u003cli\u003eThe injected payload, now stored in the WordPress database, bypasses initial \u003ccode\u003ehtmlentities()\u003c/code\u003e encoding due to later \u003ccode\u003ehtml_entity_decode()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn administrator logs into the WordPress dashboard and navigates to the \u0026ldquo;Leads\u0026rdquo; page to view form submissions.\u003c/li\u003e\n\u003cli\u003eThe form-data.php template retrieves the stored malicious payload from the database.\u003c/li\u003e\n\u003cli\u003eThe payload is outputted directly within the \u003ccode\u003ehref\u003c/code\u003e attribute of an HTML element without proper escaping using \u003ccode\u003eesc_url()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code executes within the administrator\u0026rsquo;s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator\u0026rsquo;s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site\u0026rsquo;s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Brizy WordPress Plugin XSS Attempt via HTTP Request\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eform-data.php\u003c/code\u003e template and implement proper output escaping using \u003ccode\u003eesc_url()\u003c/code\u003e for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-brizy-xss/","summary":"The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.","title":"Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-brizy-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Unauthenticated","version":"https://jsonfeed.org/version/1.1"}