Unauthenticated — CraftedSignal Threat Feed

WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:29 +0000

The Easy PayPal Events & Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the scan_qr.php endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
The attacker crafts a malicious HTTP request targeting the scan_qr.php endpoint.
The attacker modifies the request to iterate through sequential WordPress post IDs.
The server processes the request without proper authentication or authorization checks.
The scan_qr.php endpoint queries the WordPress database for order records associated with the provided post ID.
If a valid order record is found, the server returns the information in the HTTP response.
The attacker parses the HTTP response to extract customer order information.
The attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.

Recommendation

Deploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.
If still using the Easy PayPal Events & Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.
Monitor web server logs for suspicious activity targeting the scan_qr.php endpoint.
Review the WordPress access logs for requests originating from unusual IP addresses accessing the scan_qr.php endpoint.

Weaver E-cology Unauthenticated RCE via Dubbo API Debug Endpoint

hello@craftedsignal.io — Tue, 07 Apr 2026 13:16:45 +0000

Weaver (Fanwei) E-cology is susceptible to an unauthenticated remote code execution (RCE) vulnerability affecting version 10.0 prior to 20260312. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, stemming from exposed debug functionality. Exploitation allows unauthenticated attackers to execute arbitrary commands on the underlying system. The attack involves crafting malicious POST requests with attacker-controlled interfaceName and methodName parameters. Shadowserver Foundation observed initial exploitation attempts on 2026-03-31 (UTC). Due to the ease of exploitation and lack of authentication requirement, this vulnerability presents a significant risk.

Attack Chain

Attacker identifies a vulnerable Weaver E-cology 10.0 instance running a version prior to 20260312.
Attacker crafts a malicious HTTP POST request targeting the /papi/esearch/data/devops/dubboApi/debug/method endpoint.
The POST request includes the interfaceName and methodName parameters, which are set to values designed to invoke command execution helpers.
The server processes the request without authentication due to the vulnerability.
The application invokes the specified methodName within the interfaceName, leading to the execution of attacker-controlled code.
The attacker-controlled code executes commands on the server, such as establishing a reverse shell.
The attacker gains remote access to the server.
The attacker pivots within the network, potentially leading to data exfiltration, system compromise, or deployment of ransomware.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected Weaver E-cology 10.0 server. This can lead to full system compromise, data exfiltration, and disruption of services. Given the critical nature of systems often managed by E-cology, this could have significant business impact, leading to financial losses, reputational damage, and legal liabilities. There is currently no public information on the number of victims or specific sectors targeted.

Recommendation

Upgrade all Weaver E-cology 10.0 installations to a version equal to or greater than 20260312 to patch CVE-2026-22679.
Deploy the Sigma rule “Detect Weaver E-cology Dubbo API Exploitation Attempt” to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for POST requests to the /papi/esearch/data/devops/dubboApi/debug/method endpoint with suspicious interfaceName and methodName parameters (see logsource details in the Sigma rule).

Brizy WordPress Plugin Unauthenticated Stored XSS Vulnerability

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The Brizy – Page Builder plugin for WordPress, a popular tool for designing website pages, contains a critical vulnerability that allows unauthenticated users to inject malicious JavaScript code. Specifically, versions up to and including 2.8.11 are affected. This vulnerability arises from a combination of factors, including the lack of nonce verification for form submissions from non-logged-in users, inadequate handling of FileUpload fields when no file is actually uploaded, and the unintended reversal of security encoding through html_entity_decode() before outputting data. This allows attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator viewing the form’s “Leads” page, potentially leading to account takeover, data theft, or further compromise of the WordPress site.

Attack Chain

An unauthenticated attacker crafts a malicious payload containing JavaScript code.
The attacker submits this payload through a Brizy form on the WordPress site, exploiting the missing nonce verification in the submit_form() function.
The handleFileTypeFields() function fails to properly sanitize or overwrite the attacker-supplied values when no file is attached to the form submission.
The injected payload, now stored in the WordPress database, bypasses initial htmlentities() encoding due to later html_entity_decode().
An administrator logs into the WordPress dashboard and navigates to the “Leads” page to view form submissions.
The form-data.php template retrieves the stored malicious payload from the database.
The payload is outputted directly within the href attribute of an HTML element without proper escaping using esc_url().
The injected JavaScript code executes within the administrator’s browser, potentially performing actions such as stealing cookies or redirecting the administrator to a malicious site.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a logged-in administrator’s browser. This could lead to a full compromise of the WordPress site, including the ability to create new administrative accounts, modify existing content, inject malware into the site’s pages, or steal sensitive data. The impact is significant, as it requires no user interaction beyond an administrator viewing the form submissions within the Brizy plugin.

Recommendation

Upgrade the Brizy – Page Builder plugin to the latest version to patch CVE-2026-5324.
Deploy the Sigma rule “Detect Brizy WordPress Plugin XSS Attempt via HTTP Request” to identify potential exploitation attempts in web server logs.
Review the form-data.php template and implement proper output escaping using esc_url() for all user-supplied data to prevent XSS, as mentioned in the vulnerability description.