OffSequence10h ago
⚠️ HIGH severity: Stored XSS (CVE-2026-5425) in trustindex Widgets for Social Photo Feed (≤1.7.9) allows unauthenticated attackers to inject malicious scripts via 'feed_data'. No patch yet — disable plugin. Details: https://radar.offseq.com/threat/cve-2026-5425-cwe-79-improper-neutralization-of-in-1c7aa2af #OffSeq #WordPress #XSS #Vuln
OffSequence16h ago
⚠️ HIGH severity XSS (CVE-2026-2936) in Visitor Traffic Real Time Statistics WP plugin ≤8.4. Unauth attackers can inject persistent scripts via 'page_title', executed by admins. No patch yet — restrict access or disable plugin. https://radar.offseq.com/threat/cve-2026-2936-cwe-79-improper-neutralization-of-in-422ba84b #OffSeq #WordPress #XSS
Bug Bounty Shorts2d ago

How I Found a P1 Bug in a Bug Bounty Program (Step-by-Step Guide)
This article details the discovery of an XSS vulnerability due to insufficient input validation and lack of Content Security Policy (CSP). The application accepted user input for a query parameter without proper sanitization, allowing script injection through the 'query' field. By injecting a JavaScript payload containing document.cookie manipulation code, the researcher was able to set and persist a PHPSESSID cookie on the victim's device. This payload was executed by the browser, creating a persistent session cookie that allowed an attacker to maintain unauthorized sessions and gain access to other users' accounts without needing their login credentials. The vulnerability paid out $1,000, and the organization addressed it by implementing strong input validation and setting appropriate CSP headers—never trust user-controlled data for security decisions. Key lesson: Validate inputs and enforce strict Content Security Policies to prevent XSS attacks. #BugBounty #XSS #CSP #InputValidation #Infosec

https://medium.com/@pradeeptadi03/how-i-found-a-p1-bug-in-a-bug-bounty-program-step-by-step-guide-7a3fb5ed60ac?source=rss------bug_bounty-5

🔥 How I Found a P1 Bug in a Bug Bounty Program (Step-by-Step Guide)

🔥 How I Found a P1 Bug in a Bug Bounty Program (Step-by-Step Guide) If you’re starting in bug bounty, you’ve probably asked yourself: “How do hackers actually find P1 bugs?” In this blog …

Medium
Bug Bounty Shorts2d ago

The Bouncer Who Never Checked IDs
This vulnerability was an XSS (Cross-Site Scripting) issue due to insufficient input validation and lack of Content Security Policy (CSP). The application accepted user input for a query parameter without proper sanitization, allowing script injection through the 'query' field. The researcher injected a payload containing JavaScript code that set a cookie named 'PHPSESSID', which is a unique session identifier in PHP applications. This payload was executed by the browser on the victim's device, creating a persistent session cookie. With this cookie, an attacker could maintain unauthorized sessions and gain access to other users' accounts without needing their login credentials. The vulnerability paid out $250, and the organization addressed it by implementing strong input validation and setting appropriate CSP headers—never trust user-controlled data for security decisions. Key lesson: Always validate inputs and enforce strict Content Security Policies. #BugBounty #XSS #CSP #InputValidation #Infosec

https://medium.com/@prodrx808/the-bouncer-who-never-checked-ids-2fc95942e990?source=rss------bug_bounty-5

The Bouncer Who Never Checked IDs

CVE-2026–29000 · pac4j-jwt · CVSS 10.0 Critical

Medium
OffSequence3d ago
🚨 CVE-2026-34564 (CRITICAL, CVSS 9.1): ci4ms < 0.31.0.0 vulnerable to stored XSS via Menu Management. Low-priv attackers can inject scripts, impacting admins & users. Patch & audit menus now. https://radar.offseq.com/threat/cve-2026-34564-cwe-79-improper-neutralization-of-i-8f6e6ad8 #OffSeq #XSS #infosec #vuln
OffSequence3d ago
⚠️ CRITICAL: CVE-2026-34565 in ci4ms (<0.31.0.0) enables persistent XSS via menu management. Low-priv users can inject scripts impacting admins & users. Upgrade to 0.31.0.0+ now! https://radar.offseq.com/threat/cve-2026-34565-cwe-79-improper-neutralization-of-i-f662be7e #OffSeq #XSS #WebSecurity
OffSequence3d ago
🚨 CVE-2026-34566: Critical stored XSS (CVSS 9.1) in ci4ms < 0.31.0.0. Attackers can inject persistent JS via Page Management, impacting admins & users. Upgrade to 0.31.0.0+, audit content, enable CSP. Details: https://radar.offseq.com/threat/cve-2026-34566-cwe-79-improper-neutralization-of-i-937ed996 #OffSeq #XSS #Vuln #Infosec
OffSequence3d ago
CRITICAL: CVE-2026-34567 in ci4ms (<0.31.0.0) enables stored XSS via blog categories. Attackers can hijack sessions or steal data. Upgrade to 0.31.0.0 ASAP & audit for injected scripts. https://radar.offseq.com/threat/cve-2026-34567-cwe-79-improper-neutralization-of-i-5c12fe3e #OffSeq #XSS #InfoSec #CVE202634567
OffSequence3d ago
🔥 CVE-2026-34568: CRITICAL stored XSS in ci4ms CMS (<0.31.0.0). Authenticated users can inject persistent JS via blog posts, risking session hijack & data theft. Patch ASAP to 0.31.0.0! https://radar.offseq.com/threat/cve-2026-34568-cwe-79-improper-neutralization-of-i-ae5d4369 #OffSeq #XSS #CVE202634568 #infosec
OffSequence3d ago
⚠️ CRITICAL XSS (CVE-2026-34569) in ci4ms (<0.31.0.0): Low-priv attackers can store JS in blog category titles, impacting public & admin views. Update to 0.31.0.0+ ASAP! Full compromise possible. Details: https://radar.offseq.com/threat/cve-2026-34569-cwe-79-improper-neutralization-of-i-ebe55431 #OffSeq #XSS #Infosec