May 9, 2024 at 07:09AM F5 announced patches for its BIG-IP Next Central Manager to fix five vulnerabilities allowing complete device control. Eclypsium found the vulnerabilities but only two have CVE identifiers. One patched vulnerability is high severity, enabling unauthenticated attackers to execute malicious SQL statements. F5 states no impact beyond Next Central Manager. Eclypsium … Read more
May 8, 2024 at 03:55PM F5 has addressed two critical vulnerabilities in BIG-IP Next Central Manager, allowing attackers to gain admin control and create hidden rogue accounts. Exploiting SQL and OData injection flaws, unauthenticated attackers could execute malicious code remotely. Despite a temporary mitigation, F5 urges immediate patching or access restriction. There’s currently no evidence … Read more
May 7, 2024 at 05:48PM Hackers are exploiting vulnerabilities in outdated LiteSpeed Cache and Email Subscribers plugins for WordPress, creating rogue admin users and compromising sites. An unauthenticated cross-site scripting flaw, CVE-2023-40000, affects LiteSpeed Cache versions older than 5.7.0.1, while Email Subscribers plugin versions 5.7.14 and older are vulnerable to a critical SQL injection flaw, … Read more
April 26, 2024 at 06:12AM Threat actors are exploiting a critical-severity vulnerability (CVE-2024-27956, CVSS score 9.8) in WordPress Automatic plugin, allowing them to inject malicious code, gain admin privileges, create new accounts, and maintain access to compromised sites. Over 5 million exploit attempts have been seen. Users are advised to update to version 3.92.1 to … Read more
April 26, 2024 at 02:42AM Threat actors are actively exploiting a critical security flaw (CVE-2024-27956) in WP‑Automatic plugin for WordPress, posing high risk. Exploitation can lead to unauthorized access, admin account creation, file uploads, and site control. Over 5.5M attack attempts detected, alongside other plugin vulnerabilities (e.g., CVE-2024-2876, CVE-2024-28890, CVE-2024-2417, CVE-2024-32514). Stay updated for more … Read more
April 25, 2024 at 10:29AM Hackers are targeting WP Automatic plugin for WordPress, exploiting the CVE-2024-27956 vulnerability. The issue allows the creation of admin accounts and backdoors. Over 5.5 million attack attempts have been recorded, prompting the recommendation to update to version 3.92.1 and frequently backup websites to mitigate the risk. After reviewing the meeting … Read more
April 4, 2024 at 08:47AM The Cybersecurity and Infrastructure Security Agency is promoting the Secure by Design initiative, advising companies to intensify their efforts in eliminating SQL injection vulnerabilities. As part of its Secure by Design initiative, the Cybersecurity and Infrastructure Security Agency has urged companies to intensify their efforts to eliminate SQL injection vulnerabilities. … Read more
April 3, 2024 at 02:28PM LayerSlider, a popular WordPress plugin with over one million users, has been found to be vulnerable to unauthenticated SQL injection, allowing attackers to extract sensitive data from websites. Researcher AmrAwad received a $5,500 bounty for reporting this critical flaw, which has been addressed by the release of version 7.10.1, requiring … Read more
April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more
April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more