Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code

May 14, 2024 at 08:30AM Cacti network monitoring framework has addressed a dozen security flaws, including critical vulnerabilities like arbitrary code execution via file write and command injection. These flaws impact all versions prior to 1.2.26 and have been fixed in version 1.2.27. Users are advised to update to the latest version promptly to mitigate … Read more

F5 Patches Dangerous Vulnerabilities in BIG-IP Next Central Manager

May 9, 2024 at 07:09AM F5 announced patches for its BIG-IP Next Central Manager to fix five vulnerabilities allowing complete device control. Eclypsium found the vulnerabilities but only two have CVE identifiers. One patched vulnerability is high severity, enabling unauthenticated attackers to execute malicious SQL statements. F5 states no impact beyond Next Central Manager. Eclypsium … Read more

New BIG-IP Next Central Manager bugs allow device takeover

May 8, 2024 at 03:55PM F5 has addressed two critical vulnerabilities in BIG-IP Next Central Manager, allowing attackers to gain admin control and create hidden rogue accounts. Exploiting SQL and OData injection flaws, unauthenticated attackers could execute malicious code remotely. Despite a temporary mitigation, F5 urges immediate patching or access restriction. There’s currently no evidence … Read more

Hackers exploit LiteSpeed Cache flaw to create WordPress admins

May 7, 2024 at 05:48PM Hackers are exploiting vulnerabilities in outdated LiteSpeed Cache and Email Subscribers plugins for WordPress, creating rogue admin users and compromising sites. An unauthenticated cross-site scripting flaw, CVE-2023-40000, affects LiteSpeed Cache versions older than 5.7.0.1, while Email Subscribers plugin versions 5.7.14 and older are vulnerable to a critical SQL injection flaw, … Read more

Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

April 26, 2024 at 06:12AM Threat actors are exploiting a critical-severity vulnerability (CVE-2024-27956, CVSS score 9.8) in WordPress Automatic plugin, allowing them to inject malicious code, gain admin privileges, create new accounts, and maintain access to compromised sites. Over 5 million exploit attempts have been seen. Users are advised to update to version 3.92.1 to … Read more

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

April 26, 2024 at 02:42AM Threat actors are actively exploiting a critical security flaw (CVE-2024-27956) in WP‑Automatic plugin for WordPress, posing high risk. Exploitation can lead to unauthorized access, admin account creation, file uploads, and site control. Over 5.5M attack attempts detected, alongside other plugin vulnerabilities (e.g., CVE-2024-2876, CVE-2024-28890, CVE-2024-2417, CVE-2024-32514). Stay updated for more … Read more

WP Automatic WordPress plugin hit by millions of SQL injection attacks

April 25, 2024 at 10:29AM Hackers are targeting WP Automatic plugin for WordPress, exploiting the CVE-2024-27956 vulnerability. The issue allows the creation of admin accounts and backdoors. Over 5.5 million attack attempts have been recorded, prompting the recommendation to update to version 3.92.1 and frequently backup websites to mitigate the risk. After reviewing the meeting … Read more

How to Tame SQL injection

April 4, 2024 at 08:47AM The Cybersecurity and Infrastructure Security Agency is promoting the Secure by Design initiative, advising companies to intensify their efforts in eliminating SQL injection vulnerabilities. As part of its Secure by Design initiative, the Cybersecurity and Infrastructure Security Agency has urged companies to intensify their efforts to eliminate SQL injection vulnerabilities. … Read more

Critical flaw in LayerSlider WordPress plugin impacts 1 million sites

April 3, 2024 at 02:28PM LayerSlider, a popular WordPress plugin with over one million users, has been found to be vulnerable to unauthenticated SQL injection, allowing attackers to extract sensitive data from websites. Researcher AmrAwad received a $5,500 bounty for reporting this critical flaw, which has been addressed by the release of version 7.10.1, requiring … Read more

Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites

April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more