PLG
Company Details
Linkedin ID:
postcodelotterygroup
Employees number:
152
Number of followers:
3,569
NAICS:
561499
Industry Type:
Homepage:
postcodelotterygroup.com
IP Addresses:
0
Company ID:
POS_1802660
Scan Status:
In-progress
Postcode Lottery Group Company CyberSecurity Posture
postcodelotterygroup.com
The Postcode Lottery Group’s primary aim is to raise funds for good causes locally and globally. It combines business with ideals by setting up and running successful charity lotteries. The unique Postcode Lottery format uses postcodes as ticket numbers. Neighbours play together, win together and help good causes together. It’s a fun and safe way for communities to fundraise. There are already more than 14 million subscribers in the Netherlands, Sweden, Great Britain, Germany and Norway. Further growth in these countries, and future expansion into new markets, will allow millions more to show the power of postcodes by helping to build a healthier, fairer and greener world. Postcode Lottery Group donates more than €900 million to good causes each year and over €13.5 billion has been raised since the first Postcode Lottery was launched, in the Netherlands, in 1989. Research published in 2021 named Postcode Lottery Group as the world's third largest private charity donor, after the Bill and Melinda Gates Foundation. Postcode Lottery Group is a private company, fully owned by a non-profit foundation. Our team works across Europe in our welcoming offices in Amsterdam, London, Edinburgh, Stockholm, Dusseldorf and Oslo, and are joining forces every day to develop the Postcode Lottery’s magic.
Postcode Lottery Group A.I CyberSecurity Scoring
PLG Risk Score (AI oriented)Between 750 and 799
PLG
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
PLG Global Score (TPRM)XXXX
PLG
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
PLG Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
The BankGiro Lottery
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: The BankGiro Loterij suffered from a data breach incident that exposed 450,000 lottery subscribers' details. Hackers accessed the names, addresses, and e-mail addresses of customers. In around 900 cases the bank details and date of birth were also accessible. The lotteries claimed that an IT expert discovered the leak in the record-keeping systems of a business that was in charge of sending prizes by mail to winners.
People's Postcode Lottery (PPL)
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A technical error in People's Postcode Lottery (PPL) exposed customer data to unauthorized users when logging into the platform on **October 27**. The breach displayed other players' **names, addresses, email addresses, and dates of birth** upon refreshing the homepage. The issue was resolved within **17 minutes**, with full service restoration by **October 29**. While no external attack was detected, the glitch affected **0.1% of its 4.9 million subscribers** (~4,900 users). PPL notified impacted customers, offered **free Experian credit monitoring for a year**, and reported the incident to the **UK Information Commissioner’s Office (ICO)**. The company emphasized its commitment to preventing future occurrences and reiterated its responsibility to players. PPL operates a subscription-based lottery where **30% of ticket revenue** funds charities, having raised over **£1.5 billion** since 2005.
PLG Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for PLG
Incidents vs Fundraising Industry Average (This Year)
No incidents recorded for Postcode Lottery Group in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Postcode Lottery Group in 2025.
Incident Types PLG vs Fundraising Industry Avg (This Year)
No incidents recorded for Postcode Lottery Group in 2025.
Incident History — PLG (X = Date, Y = Severity)
PLG cyber incidents detection timeline including parent company and subsidiaries
PLG Company Subsidiaries
The Postcode Lottery Group’s primary aim is to raise funds for good causes locally and globally. It combines business with ideals by setting up and running successful charity lotteries. The unique Postcode Lottery format uses postcodes as ticket numbers. Neighbours play together, win together and help good causes together. It’s a fun and safe way for communities to fundraise. There are already more than 14 million subscribers in the Netherlands, Sweden, Great Britain, Germany and Norway. Further growth in these countries, and future expansion into new markets, will allow millions more to show the power of postcodes by helping to build a healthier, fairer and greener world. Postcode Lottery Group donates more than €900 million to good causes each year and over €13.5 billion has been raised since the first Postcode Lottery was launched, in the Netherlands, in 1989. Research published in 2021 named Postcode Lottery Group as the world's third largest private charity donor, after the Bill and Melinda Gates Foundation. Postcode Lottery Group is a private company, fully owned by a non-profit foundation. Our team works across Europe in our welcoming offices in Amsterdam, London, Edinburgh, Stockholm, Dusseldorf and Oslo, and are joining forces every day to develop the Postcode Lottery’s magic.
Loading...
PLG Similar Companies
Harvey McKinnon Associates (HMA)
Since 1989, the team at Harvey McKinnon Associates (HMA) has been delivering world-class service to our clients — and raising them more money for their missions. Founded by Harvey McKinnon, one of North America’s leading fundraisers, HMA offers fundraising services to nonprofit clients in Canada,
AHRC New York City Foundation, Inc.
The AHRC New York City Foundation is a fund-raising and grant-making entity that supports programs for children and adults who have intellectual and developmental disabilities and who live in New York City. The Foundation is the primary source of philanthropic support for AHRC New York City, whic
The USM Foundation
The mission of The University of Southern Mississippi Foundation is to build relationships with alumni and friends in order to secure private funds and other resources for the benefit of The University of Southern Mississippi. As a non-profit organization, the Foundation receives, invests and distri
Kidney Research UK
Kidney Research UK is the largest UK charity dedicated to research into the prevention, treatment and management of kidney disease. Kidney Research UK also dedicates its work to improving patient care and raising awareness of kidney disease. Over three million lives in the UK are threatened by ch
Western Health Foundation
The Western Health Foundation is dedicated to supporting Western Health as it grows and transforms healthcare in Melbourne's west. Working together with patients, family members, staff, clinicians, volunteers and our community, the Western Health Foundation raises, manages and invests funds to supp
Carlson Fundraising, LLC
With a proven, systematic approach developed over 30+ years of experience, Carlson Fundraising builds donor bases and moves donors up the gift pyramid, generating more legitimate major gift prospects. Carlson Fundraising is purposely a small firm which partners with select non-profit organization
.png)
PLG CyberSecurity News
September 23, 2025 07:00 AM
Festival aims to attract more women and girls to computing
The Ada Scotland Festival, named after famous mathematician Ada Lovelace, runs from 29 September to 10 October.
October 10, 2023 03:59 PM
The Paris Peace Forum unveils the 5th edition program and speakers|Press release
This fifth edition will take place on 11 and 12 November 2022 at the Palais Brongniart. The program highlights will focus on the following objectives.
February 17, 2021 08:00 AM
Graduation ceremony of the Cyber Security master: A digital party
With a trip through the Netherlands, the preparations for the graduation of the Master Cyber Security had already started weeks ago.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
PLG CyberSecurity History Information
Official Website of Postcode Lottery Group
The official website of Postcode Lottery Group is https://www.postcodelotterygroup.com.
Postcode Lottery Group’s AI-Generated Cybersecurity Score
According to Rankiteo, Postcode Lottery Group’s AI-generated cybersecurity score is 759, reflecting their Fair security posture.
How many security badges does Postcode Lottery Group’ have ?
According to Rankiteo, Postcode Lottery Group currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Postcode Lottery Group have SOC 2 Type 1 certification ?
According to Rankiteo, Postcode Lottery Group is not certified under SOC 2 Type 1.
Does Postcode Lottery Group have SOC 2 Type 2 certification ?
According to Rankiteo, Postcode Lottery Group does not hold a SOC 2 Type 2 certification.
Does Postcode Lottery Group comply with GDPR ?
According to Rankiteo, Postcode Lottery Group is not listed as GDPR compliant.
Does Postcode Lottery Group have PCI DSS certification ?
According to Rankiteo, Postcode Lottery Group does not currently maintain PCI DSS compliance.
Does Postcode Lottery Group comply with HIPAA ?
According to Rankiteo, Postcode Lottery Group is not compliant with HIPAA regulations.
Does Postcode Lottery Group have ISO 27001 certification ?
According to Rankiteo,Postcode Lottery Group is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Postcode Lottery Group
Postcode Lottery Group operates primarily in the Fundraising industry.
Number of Employees at Postcode Lottery Group
Postcode Lottery Group employs approximately 152 people worldwide.
Subsidiaries Owned by Postcode Lottery Group
Postcode Lottery Group presently has no subsidiaries across any sectors.
Postcode Lottery Group’s LinkedIn Followers
Postcode Lottery Group’s official LinkedIn profile has approximately 3,569 followers.
NAICS Classification of Postcode Lottery Group
Postcode Lottery Group is classified under the NAICS code 561499, which corresponds to All Other Business Support Services.
Postcode Lottery Group’s Presence on Crunchbase
No, Postcode Lottery Group does not have a profile on Crunchbase.
Postcode Lottery Group’s Presence on LinkedIn
Yes, Postcode Lottery Group maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/postcodelotterygroup.
Cybersecurity Incidents Involving Postcode Lottery Group
As of December 21, 2025, Rankiteo reports that Postcode Lottery Group has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Postcode Lottery Group has an estimated 1,146 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Postcode Lottery Group ?
Incident Types: The types of cybersecurity incidents that have occurred include Data Leak and Breach.
How does Postcode Lottery Group detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with experian (credit monitoring), and containment measures with service taken offline within 17 minutes of discovery, and remediation measures with bug fix deployed, remediation measures with system restoration, and recovery measures with full service restoration by 2023-10-29 09:00 utc, and communication strategy with email notifications to affected customers, communication strategy with public statement, communication strategy with apology issued, communication strategy with offer of 1 year free experian credit monitoring..
Incident Details
Can you provide details on each incident ?
Title: BankGiro Loterij Data Breach
Description: The BankGiro Loterij suffered from a data breach incident that exposed 450,000 lottery subscribers' details.
Type: Data Breach
Threat Actor: Hackers
Title: People's Postcode Lottery Customer Data Exposure Due to Technical Error
Description: A technical error in People's Postcode Lottery (PPL) caused customer data to be exposed to other users upon logging in. The exposed data included names, addresses, email addresses, and dates of birth. The issue was resolved within 17 minutes of discovery, with services fully restored by October 29, 2023. Approximately 0.1% of PPL's 4.9 million subscribers were affected. The company reported the incident to the Information Commissioner's Office (ICO) and offered affected customers a year of free Experian credit monitoring.
Date Detected: 2023-10-27
Date Publicly Disclosed: 2023-10-27
Date Resolved: 2023-10-29T09:00:00Z
Type: Data Exposure (Unintentional Disclosure)
Vulnerability Exploited: Technical error in user data retrieval/logic (likely session or caching misconfiguration)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Data Leak.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach THE121728822
Data Compromised: Names, Addresses, E-mail addresses, Bank details, Date of birth
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Data Compromised: Names, Addresses, Email addresses, Dates of birth
Systems Affected: Customer portal/web application
Downtime: 17 minutes (initial outage) + ~48 hours (full service restoration)
Operational Impact: Temporary suspension of online services; customer notifications and credit monitoring enrollment
Customer Complaints: Likely (forum posts reported the issue)
Brand Reputation Impact: Moderate (public apology issued; proactive communication with affected users)
Legal Liabilities: Potential (reported to ICO; no fines mentioned yet)
Identity Theft Risk: Moderate (PII exposed; credit monitoring offered)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Names, Addresses, E-Mail Addresses, Bank Details, Date Of Birth, , Personally Identifiable Information (Pii) and .
Which entities were affected by each incident ?
Incident : Data Breach THE121728822
Entity Name: BankGiro Loterij
Entity Type: Organization
Industry: Gaming/Lottery
Customers Affected: 450000
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Entity Name: People's Postcode Lottery (PPL)
Entity Type: Private Company (Lottery Operator)
Industry: Gambling/Lottery
Location: United Kingdom
Size: 4.9 million subscribers (2022)
Customers Affected: ~0.1% of 4.9 million (~4,900 customers)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Incident Response Plan Activated: True
Third Party Assistance: Experian (Credit Monitoring).
Containment Measures: Service taken offline within 17 minutes of discovery
Remediation Measures: Bug fix deployedSystem restoration
Recovery Measures: Full service restoration by 2023-10-29 09:00 UTC
Communication Strategy: Email notifications to affected customersPublic statementApology issuedOffer of 1 year free Experian credit monitoring
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Experian (credit monitoring), .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach THE121728822
Type of Data Compromised: Names, Addresses, E-mail addresses, Bank details, Date of birth
Number of Records Exposed: 450000
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Type of Data Compromised: Personally identifiable information (pii)
Number of Records Exposed: ~4,900
Sensitivity of Data: High (PII including names, addresses, emails, DOBs)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Bug fix deployed, System restoration, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by service taken offline within 17 minutes of discovery and .
Ransomware Information
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Full service restoration by 2023-10-29 09:00 UTC, .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Regulations Violated: Potential GDPR (UK GDPR) violation,
Regulatory Notifications: Reported to Information Commissioner's Office (ICO)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Lessons Learned: Importance of rigorous testing for session/caching mechanisms in customer-facing applications; need for rapid incident response to minimize exposure duration.
What recommendations were made to prevent future incidents ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Recommendations: Conduct a thorough security audit of the customer portal, particularly session management and data retrieval logic., Implement multi-layered access controls to prevent unauthorized data exposure., Enhance logging and monitoring to detect anomalous data access patterns in real-time., Regularly review and test incident response plans to ensure swift containment.Conduct a thorough security audit of the customer portal, particularly session management and data retrieval logic., Implement multi-layered access controls to prevent unauthorized data exposure., Enhance logging and monitoring to detect anomalous data access patterns in real-time., Regularly review and test incident response plans to ensure swift containment.Conduct a thorough security audit of the customer portal, particularly session management and data retrieval logic., Implement multi-layered access controls to prevent unauthorized data exposure., Enhance logging and monitoring to detect anomalous data access patterns in real-time., Regularly review and test incident response plans to ensure swift containment.Conduct a thorough security audit of the customer portal, particularly session management and data retrieval logic., Implement multi-layered access controls to prevent unauthorized data exposure., Enhance logging and monitoring to detect anomalous data access patterns in real-time., Regularly review and test incident response plans to ensure swift containment.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Importance of rigorous testing for session/caching mechanisms in customer-facing applications; need for rapid incident response to minimize exposure duration.
References
Where can I find more information about each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Source: The Register
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: The Register.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Investigation Status: Completed (root cause identified as technical error; no external attack)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Email Notifications To Affected Customers, Public Statement, Apology Issued and Offer Of 1 Year Free Experian Credit Monitoring.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Stakeholder Advisories: Public statement and email notifications to affected customers.
Customer Advisories: Emails sent to affected users with details of the incident and offer of free credit monitoring.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Public statement and email notifications to affected customers. and Emails sent to affected users with details of the incident and offer of free credit monitoring..
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Exposure (Unintentional Disclosure) PEO4732247103025
Root Causes: Technical error in the system logic that retrieved and displayed customer data, likely tied to session or caching mechanisms.
Corrective Actions: Bug Fix Deployed To Resolve The Data Exposure Issue., Enhanced Monitoring And Testing Protocols Implemented (Implied By Statement On Preventing Future Incidents).,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Experian (Credit Monitoring), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Bug Fix Deployed To Resolve The Data Exposure Issue., Enhanced Monitoring And Testing Protocols Implemented (Implied By Statement On Preventing Future Incidents)., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Hackers.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-10-27.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2023-10-27.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2023-10-29T09:00:00Z.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Names, Addresses, E-mail addresses, Bank details, Date of birth, , names, addresses, email addresses, dates of birth and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Customer portal/web application.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was experian (credit monitoring), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Service taken offline within 17 minutes of discovery.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Bank details, addresses, names, Names, email addresses, Date of birth, E-mail addresses, Addresses and dates of birth.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 5.3K.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Importance of rigorous testing for session/caching mechanisms in customer-facing applications; need for rapid incident response to minimize exposure duration.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Regularly review and test incident response plans to ensure swift containment., Enhance logging and monitoring to detect anomalous data access patterns in real-time., Implement multi-layered access controls to prevent unauthorized data exposure., Conduct a thorough security audit of the customer portal and particularly session management and data retrieval logic..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is The Register.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Completed (root cause identified as technical error; no external attack).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Public statement and email notifications to affected customers., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Emails sent to affected users with details of the incident and offer of free credit monitoring.
.png)
Latest Global CVEs (Not Company-Specific)
Description
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
Risk Information
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
Risk Information
cvss3
Base: 7.6
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L104
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L94
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3420841%40ajax-search-for-woocommerce%2Ftrunk&old=3398612%40ajax-search-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=#file136
- https://wordpress.org/plugins/ajax-search-for-woocommerce
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8149103e-105d-401d-8a15-b07d131baaac?source=cve
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/class-functions.php#L41
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-ajax-common.php#L61
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L205
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L2795
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/templates/members.php#L26
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3421362%40ultimate-member%2Ftrunk&old=3408617%40ultimate-member%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31?source=cve
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=postcodelotterygroup' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
