A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform. WordPress 5.8 will be released next week with many new features, as well as removing support for Internet Explorer 11. Microsoft released a number of ..read more

Security researchers accidentally leaked zero-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin, previously called WP User Avatar, were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of internet-connected Western Digital My Book Live devices ..read more

Over 30 million Dell devices are at risk for remote BIOS attacks due to four separate security bugs, which can have far reaching effects for enterprise organizations heavily invested in Dell devices. VMware Carbon Black App Control has been updated this week to fix a critical-severity vulnerability that allows authentication bypass. Antivirus creator John McAffee dies in a Spanish jail, and a bug found by a security researcher in Atlassian’s authentication could have led to a supply chain attack.  A security update is planned for Google Drive that could break shared links. And a number of ..read more

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against 0-days ..read more

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, Amazon, and many others. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a RCE in Android phones. A FBI informant and a messaging app led to huge global crime sting, and Windows container malware targets Kubernetes clusters used by numerous data centers ..read more

A security fix for an information leak vulnerability was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the United States has been attributed to REvil, a private Russian ransomware-as-​a-service operation. A critical zero-day vulnerability was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out by June 8. Google PPC ad ..read more

A Critical Vulnerability in VMWare's vCenter Server threatens some of the largest data centers in the world. An actively exploited 0-day in macOS was used to take screen shots of infected computers. CodeCov claims another victim as Japanese e-Commerce unicorn Mercari reports a massive data breach. Domino's India and Air India suffer from large-scale data breaches. And last, but not least, it's time to update Chrome again, thanks to some high-severity vulnerabilities that were just patched ..read more

Four memory corruption vulnerabilities are being actively exploited on Android devices and nearly 2 dozen popular Android apps exposed over 100 Million users’ sensitive information in cloud databases. Over 600,000 sites using WP Statistics required a patch to fix a blind SQL injection vulnerability. WP User Avatar undergoes a dramatic rebranding to ProfilePress, adding completely divergent functionality and causing a user revolt in reviews. More details emerge about the ransomware attack on Colonial Pipeline, as DarkSide shuts down after losing access to their infrastructure. A popular Russian ..read more

A ransomware attack on Colonial Pipeline affected fuel availability in 17 southeastern US states, and Bloomberg reported that Colonial Pipeline paid $5 million to DarkSide, a Russia-based ransomware service provider. The Biden Administration issued an executive order to increase US cybersecurity defenses. WordPress 5.7.2 was released to patch a critical object injection vulnerability in PHPMailer. A critical vulnerability was patched in the External Media plugin, used by over 8K sites. Vulnerabilities were discovered in all WiFi devices, and patch is available for a zero-day RCE under active a ..read more

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to cause Composer to download the wrong source code, potentially affecting all WordPress sites. Packagist reports that it's not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities. We’re seeing some of the first trickle-down attacks from the Codecov supply chain attack, first from HashiCorp and also from Twili ..read more