Morley
Company Details
Linkedin ID:
morley-companies-inc
Website:
Employees number:
1,480
Number of followers:
9,465
NAICS:
541613
Industry Type:
Homepage:
www.morleycompanies.com
IP Addresses:
0
Company ID:
MOR_2682472
Scan Status:
In-progress
Morley Company CyberSecurity Posture
www.morleycompanies.com
𝗢𝘂𝗿 𝗰𝗹𝗶𝗲𝗻𝘁𝘀 We serve four demanding markets: - Global / Fortune 500 companies seeking customer service delivery for contact centers and processing centers - Global / Fortune 500 companies seeking meeting, incentive and special events management - Global / Fortune 500 companies seeking trade show booth fabrication (custom or modular) and trade show schedule management (installation, dismantling and storage) - Museums, schools, libraries and other institutions seeking custom built exhibit installations. 𝗧𝗵𝗿𝗲𝗲 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀, 𝗰𝗼𝘂𝗻𝘁𝗹𝗲𝘀𝘀 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀 We serve these markets through three distinct entities that work independently or in close coordination with one another to deliver highly integrated and complex solutions: 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 𝗢𝘂𝘁𝘀𝗼𝘂𝗿𝗰𝗶𝗻𝗴 where we manage contact centers and processing centers in North America and near-shore locations 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleybpo.com 𝗠𝗲𝗲𝘁𝗶𝗻𝗴𝘀 & 𝗜𝗻𝗰𝗲𝗻𝘁𝗶𝘃𝗲𝘀 where we manage meetings, conferences and incentives for groups ranging in size from tens to thousands 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleymeetings.com 𝗘𝘅𝗵𝗶𝗯𝗶𝘁𝘀 & 𝗗𝗶𝘀𝗽𝗹𝗮𝘆𝘀 where we build and install museum exhibits and trade show properties 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleyexhibits.com Since 1863, we’ve cultivated a culture of delivering extraordinary experiences. It’s woven into our DNA, propelling us to achieve exceptional, award-winning outcomes. This ethos empowers our dedicated associates to unleash their full potential, and help our clients achieve great results. At Morley, we call it Moving People to Move Mountains. 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗶𝘀 𝘁𝗵𝗲 𝗵𝗲𝗮𝗿𝘁 𝗼𝗳 𝗼𝘂𝗿 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀, 𝗮𝗻𝗱 𝗽𝗲𝗼𝗽𝗹𝗲 𝗮𝗿𝗲 𝗶𝘁𝘀 𝘀𝗼𝘂𝗹 Happy associates make happy customers. Empowered with the tools and authority to make their solutions and service something to smile about, our associates delight in ensuring every experience for our clients and each other is extraordinary.
Morley A.I CyberSecurity Scoring
Morley Risk Score (AI oriented)Between 650 and 699
Morley
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Morley Global Score (TPRM)XXXX
Morley
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Morley Company CyberSecurity News & History
Past Incidents
3
Attack Types
1
Morley Companies, Inc.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The Maine Office of the Attorney General reported a data breach involving Morley Companies, Inc. on January 26, 2022. The breach occurred on August 1, 2021, and was discovered on December 22, 2021, resulting in the exposure of personal information for approximately 2 Maine residents, including names, dates of birth, Social Security numbers, driver's license numbers, and health information. Identity theft protection services were offered for 12 months through IDX.
Morley
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Morley Companies Inc. experienced a data breach after it suffered a ransomware attack on August 1st, 2021, that allowed threat actors to steal data before encrypting files. The threat actors stole the personal information of 521,046 individuals during the attack, including data for Morley's employees, contractors, and clients. The data included Full name, Social Security number, Date of birth, Client ID number, Medical diagnostic and treatment information, and Health insurance information. Morley covered the cost of 24 months of identity theft protection services through IDX for all affected individuals.
Morley Companies, Inc.
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: The Washington State Office of the Attorney General reported that Morley Companies, Inc. experienced a data breach involving unauthorized access, affecting approximately 42,633 Washington residents. The breach was discovered on August 1, 2021, and involved personal information including names, Social Security numbers, driver's license numbers, birth dates, and health information.
Morley Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Morley
Incidents vs Advertising Services Industry Average (This Year)
No incidents recorded for Morley in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Morley in 2025.
Incident Types Morley vs Advertising Services Industry Avg (This Year)
No incidents recorded for Morley in 2025.
Incident History — Morley (X = Date, Y = Severity)
Morley cyber incidents detection timeline including parent company and subsidiaries
Morley Company Subsidiaries
𝗢𝘂𝗿 𝗰𝗹𝗶𝗲𝗻𝘁𝘀 We serve four demanding markets: - Global / Fortune 500 companies seeking customer service delivery for contact centers and processing centers - Global / Fortune 500 companies seeking meeting, incentive and special events management - Global / Fortune 500 companies seeking trade show booth fabrication (custom or modular) and trade show schedule management (installation, dismantling and storage) - Museums, schools, libraries and other institutions seeking custom built exhibit installations. 𝗧𝗵𝗿𝗲𝗲 𝗰𝗼𝗺𝗽𝗮𝗻𝗶𝗲𝘀, 𝗰𝗼𝘂𝗻𝘁𝗹𝗲𝘀𝘀 𝘀𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀 We serve these markets through three distinct entities that work independently or in close coordination with one another to deliver highly integrated and complex solutions: 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗣𝗿𝗼𝗰𝗲𝘀𝘀 𝗢𝘂𝘁𝘀𝗼𝘂𝗿𝗰𝗶𝗻𝗴 where we manage contact centers and processing centers in North America and near-shore locations 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleybpo.com 𝗠𝗲𝗲𝘁𝗶𝗻𝗴𝘀 & 𝗜𝗻𝗰𝗲𝗻𝘁𝗶𝘃𝗲𝘀 where we manage meetings, conferences and incentives for groups ranging in size from tens to thousands 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleymeetings.com 𝗘𝘅𝗵𝗶𝗯𝗶𝘁𝘀 & 𝗗𝗶𝘀𝗽𝗹𝗮𝘆𝘀 where we build and install museum exhibits and trade show properties 𝗪𝗲𝗯𝘀𝗶𝘁𝗲: www.morleyexhibits.com Since 1863, we’ve cultivated a culture of delivering extraordinary experiences. It’s woven into our DNA, propelling us to achieve exceptional, award-winning outcomes. This ethos empowers our dedicated associates to unleash their full potential, and help our clients achieve great results. At Morley, we call it Moving People to Move Mountains. 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗶𝘀 𝘁𝗵𝗲 𝗵𝗲𝗮𝗿𝘁 𝗼𝗳 𝗼𝘂𝗿 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀, 𝗮𝗻𝗱 𝗽𝗲𝗼𝗽𝗹𝗲 𝗮𝗿𝗲 𝗶𝘁𝘀 𝘀𝗼𝘂𝗹 Happy associates make happy customers. Empowered with the tools and authority to make their solutions and service something to smile about, our associates delight in ensuring every experience for our clients and each other is extraordinary.
Loading...
Morley Similar Companies
Clinic
Clinic is an independent creative agency. We create bold ideas, and craft them beautifully, to get people thinking, believing and doing. All of our experience goes into what we do today, and although our world’s constantly changing, the endpoint is still people and their experience, no matter
Ogilvy
Ogilvy has been creating impact for brands through iconic, culture-changing, value-driving ideas since the company was founded by David Ogilvy 75 years ago. We build on that rich legacy through Borderless Creativity – innovating at the intersections of its advertising, public relations, relationship
dentsu
We are dentsu. We team together to help brands predict and plan for disruptive future opportunities and create new paths to growth in the sustainable economy. We know people better than anyone else and we use those insights to connect brand, content, commerce and experience, underpinned by modern cr
TBWA\Worldwide
TBWA is The Disruption Company®. We are a Collective of creative minds with an unlimited creative canvas. We create brand platforms that defy convention and compete with culture. Thanks to our trademarked Disruption® methodology, we build the world’s strongest brands. Brands that own an unfair share
Clear Channel Europe
Clear Channel Europe is a division of leading global Out of Home media company, Clear Channel Outdoor Holdings, Inc. (NYSE: CCO). The Clear Channel Europe portfolio spans 14 markets with 260,000 advertising panels. Clear Channel Europe has 2,600 dedicated employees. Our Mission is To Create the fu
Havas
TO MAKE A MEANINGFUL DIFFERENCE TO BRANDS, TO BUSINESSES AND TO PEOPLE Founded in 1835 in Paris, Havas is one of the world’s largest global communications networks, with more than 23,000 people in over 100 markets sharing one single mission: to make a meaningful difference to brands, businesses, a
Founded in 1926 by Marcel Bleustein-Blanchet, today Publicis Groupe is the largest communications group in the world and a leader in marketing, communication, and digital business transformation, led by Arthur Sadoun, the third CEO in its history. Publicis Groupe is positioned at every step of the
Quad (NYSE: QUAD) is a global marketing experience company that helps brands make direct consumer connections, from household to in-store to online. Supported by state-of-the-art technology and data-driven intelligence, Quad uses its suite of media, creative and production solutions to streamline th
VML
VML is a global powerhouse born from the unification of Wunderman Thompson and VMLY&R — two of the world's most powerful and accomplished creative agencies with complementary capabilities and geographic strengths. We have an industry-unique opportunity to provide our client partners with a fully int
.png)
Morley CyberSecurity News
October 18, 2025 06:50 AM
Automation industry legend Dick Morley, 'Father of PLC' passes away
Widely known as the 'Father of the PLC', Morley was the initial designer of the first PLC, produced by Modicon nearly 50 years ago. Morley was also a...
October 16, 2025 07:00 AM
Cybersecurity Awareness Month Roundtable – October 29, 2025
The next Office of Advocacy Small Business Roundtable will be held virtually on October 29, 2025, at 1 PM ET on the Microsoft Teams platform...
October 16, 2025 07:00 AM
EDCI adds cybersecurity to metric set
The ESG data-sharing initiative has also launched a pilot programme for GPs to track the commercial impact of sustainability measures at...
October 02, 2025 07:00 AM
CBM calls for urgent support package for downstream JLR suppliers
The government's support package for the automotive sector, following the JLR cyber attack is not being rolled out quickly enough.
July 07, 2025 07:00 AM
Gov. DeSantis signs measure putting FSU Election Law Center into statute
The Center, in existence since 2023, will study everything from election integrity to redistricting.
April 08, 2025 07:00 AM
2025 SC Awards Finalists: Innovator (Executive or Practitioner) of the Year
Cybersecurity innovation depends heavily on visionary leadership and technical excellence. This year's finalists are notable for pushing...
March 01, 2025 08:00 AM
Hegseth to Cyber Command: Stand Down on Russia
Defense Secretary Pete Hegseth has ordered US Cyber Command to refrain from all planning against Russia, which includes cyber offensive actions.
September 19, 2024 07:00 AM
Patrick Morley joins Bugcrowd board after Carbon Black success
Patrick Morley, former CEO of Carbon Black, has joined the board of directors at Bugcrowd, a leader in crowdsourced security.
September 17, 2024 07:00 AM
Former CEO of Carbon Black, Patrick Morley, Joins Bugcrowd's Board of Directors
PRNewswire/ -- Bugcrowd, the leader in crowdsourced security, today announced that Patrick Morley has joined its board of directors.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Morley CyberSecurity History Information
Official Website of Morley
The official website of Morley is www.morleycompanies.com.
Morley’s AI-Generated Cybersecurity Score
According to Rankiteo, Morley’s AI-generated cybersecurity score is 676, reflecting their Weak security posture.
How many security badges does Morley’ have ?
According to Rankiteo, Morley currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Morley have SOC 2 Type 1 certification ?
According to Rankiteo, Morley is not certified under SOC 2 Type 1.
Does Morley have SOC 2 Type 2 certification ?
According to Rankiteo, Morley does not hold a SOC 2 Type 2 certification.
Does Morley comply with GDPR ?
According to Rankiteo, Morley is not listed as GDPR compliant.
Does Morley have PCI DSS certification ?
According to Rankiteo, Morley does not currently maintain PCI DSS compliance.
Does Morley comply with HIPAA ?
According to Rankiteo, Morley is not compliant with HIPAA regulations.
Does Morley have ISO 27001 certification ?
According to Rankiteo,Morley is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Morley
Morley operates primarily in the Advertising Services industry.
Number of Employees at Morley
Morley employs approximately 1,480 people worldwide.
Subsidiaries Owned by Morley
Morley presently has no subsidiaries across any sectors.
Morley’s LinkedIn Followers
Morley’s official LinkedIn profile has approximately 9,465 followers.
NAICS Classification of Morley
Morley is classified under the NAICS code 541613, which corresponds to Marketing Consulting Services.
Morley’s Presence on Crunchbase
No, Morley does not have a profile on Crunchbase.
Morley’s Presence on LinkedIn
Yes, Morley maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/morley-companies-inc.
Cybersecurity Incidents Involving Morley
As of December 21, 2025, Rankiteo reports that Morley has experienced 3 cybersecurity incidents.
Number of Peer and Competitor Companies
Morley has an estimated 32,689 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Morley ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Morley detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an recovery measures with 24 months of identity theft protection services through idx for all affected individuals..
Incident Details
Can you provide details on each incident ?
Title: Morley Companies Inc. Data Breach
Description: Morley Companies Inc. experienced a data breach after it suffered a ransomware attack on August 1st, 2021, that allowed threat actors to steal data before encrypting files. The threat actors stole the personal information of 521,046 individuals during the attack, including data for Morley's employees, contractors, and clients. The data included Full name, Social Security number, Date of birth, Client ID number, Medical diagnostic and treatment information, and Health insurance information. Morley covered the cost of 24 months of identity theft protection services through IDX for all affected individuals.
Date Detected: 2021-08-01
Type: Data Breach
Attack Vector: Ransomware
Title: Morley Companies Data Breach
Description: The Washington State Office of the Attorney General reported that Morley Companies, Inc. experienced a data breach involving unauthorized access, affecting approximately 42,633 Washington residents. The breach was discovered on August 1, 2021, and involved personal information including names, Social Security numbers, driver's license numbers, birth dates, and health information.
Date Detected: 2021-08-01
Type: Data Breach
Attack Vector: Unauthorized Access
Title: Data Breach at Morley Companies, Inc.
Description: The Maine Office of the Attorney General reported a data breach involving Morley Companies, Inc. on January 26, 2022. The breach occurred on August 1, 2021, and was discovered on December 22, 2021, resulting in the exposure of personal information for approximately 2 Maine residents, including names, dates of birth, Social Security numbers, driver's license numbers, and health information. Identity theft protection services were offered for 12 months through IDX.
Date Detected: 2021-12-22
Date Publicly Disclosed: 2022-01-26
Type: Data Breach
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach MOR1626241222
Data Compromised: Full name, Social security number, Date of birth, Client id number, Medical diagnostic and treatment information, Health insurance information
Incident : Data Breach MOR241072625
Data Compromised: Names, Social security numbers, Driver's license numbers, Birth dates, Health information
Incident : Data Breach MOR212072925
Data Compromised: Names, Dates of birth, Social security numbers, Driver's license numbers, Health information
Identity Theft Risk: High
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Full Name, Social Security Number, Date Of Birth, Client Id Number, Medical Diagnostic And Treatment Information, Health Insurance Information, , Names, Social Security Numbers, Driver'S License Numbers, Birth Dates, Health Information, , Names, Dates Of Birth, Social Security Numbers, Driver'S License Numbers, Health Information and .
Which entities were affected by each incident ?
Incident : Data Breach MOR1626241222
Entity Name: Morley Companies Inc.
Entity Type: Company
Customers Affected: 521046
Incident : Data Breach MOR241072625
Entity Name: Morley Companies, Inc.
Entity Type: Company
Customers Affected: 42633
Incident : Data Breach MOR212072925
Entity Name: Morley Companies, Inc.
Entity Type: Company
Customers Affected: 2
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach MOR1626241222
Recovery Measures: 24 months of identity theft protection services through IDX for all affected individuals
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach MOR1626241222
Type of Data Compromised: Full name, Social security number, Date of birth, Client id number, Medical diagnostic and treatment information, Health insurance information
Number of Records Exposed: 521046
Sensitivity of Data: High
Data Exfiltration: Yes
Personally Identifiable Information: Yes
Incident : Data Breach MOR241072625
Type of Data Compromised: Names, Social security numbers, Driver's license numbers, Birth dates, Health information
Number of Records Exposed: 42633
Sensitivity of Data: High
Incident : Data Breach MOR212072925
Type of Data Compromised: Names, Dates of birth, Social security numbers, Driver's license numbers, Health information
Number of Records Exposed: 2
Sensitivity of Data: High
Ransomware Information
Was ransomware involved in any of the incidents ?
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through 24 months of identity theft protection services through IDX for all affected individuals, .
References
Where can I find more information about each incident ?
Incident : Data Breach MOR241072625
Source: Washington State Office of the Attorney General
Incident : Data Breach MOR212072925
Source: Maine Office of the Attorney General
Date Accessed: 2022-01-26
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Washington State Office of the Attorney General, and Source: Maine Office of the Attorney GeneralDate Accessed: 2022-01-26.
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2021-08-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2022-01-26.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Full name, Social Security number, Date of birth, Client ID number, Medical diagnostic and treatment information, Health insurance information, , Names, Social Security numbers, Driver's license numbers, Birth dates, Health information, , names, dates of birth, Social Security numbers, driver's license numbers, health information and .
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Full name, Medical diagnostic and treatment information, names, Names, Birth dates, health information, Health information, Driver's license numbers, Social Security number, Date of birth, Health insurance information, Client ID number, driver's license numbers, Social Security numbers and dates of birth.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 1.0K.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Maine Office of the Attorney General and Washington State Office of the Attorney General.
.png)
Latest Global CVEs (Not Company-Specific)
Description
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
Risk Information
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
Risk Information
cvss3
Base: 7.6
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L104
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L94
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3420841%40ajax-search-for-woocommerce%2Ftrunk&old=3398612%40ajax-search-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=#file136
- https://wordpress.org/plugins/ajax-search-for-woocommerce
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8149103e-105d-401d-8a15-b07d131baaac?source=cve
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/class-functions.php#L41
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-ajax-common.php#L61
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L205
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L2795
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/templates/members.php#L26
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3421362%40ultimate-member%2Ftrunk&old=3408617%40ultimate-member%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31?source=cve
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=morley-companies-inc' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
