Security News

Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.

Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems. PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar.

PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions. CVE-2022-24663 - Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the 'shortcode' parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.

Cybercrime groups are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users. Injecting web skimmers on e-commerce websites to steal credit card details is a tried-and-tested modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems.

We look into Apple's recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous "Flubot" home delivery scam works and how to stop it.

Supply chain researcher Max Justicz noticed that he could upload new PHP packages that would trick the Packagist system into running commands of his choice, rather than simply dowloading and publishing his submission. The 2018 exploit involved simply swapping out a URL for a system command, and instead of Composer downloading data from a URL, it would inadvertently run the command inserted where the URL was supposed to be.

The maintainers of Composer, a package manager for PHP, have shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and "Backdoor every PHP package," resulting in a supply-chain attack. "Fixed command injection vulnerability in HgDriver/HgDownloader and hardened other VCS drivers and downloaders," Composer said its release notes for versions 2.0.13 and 1.10.22 published on Wednesday.

WordPress has released version 5.7.1 of its popular content management system, which brings more than 25 bug fixes, including patches for two security vulnerabilities. One of the patched security flaws is an XML External Entity vulnerability in the ID3 library in PHP 8, which is used by WordPress.

Unknown hackers attempted to add a backdoor to the PHP source code. It was two malicious commits, with the subject "Fix typo" and the names of known PHP developers and maintainers.

The developers of the PHP scripting language have shared an update on the recently disclosed breach in which attackers planted malicious code. Php.net server and it was apparently designed to allow an attacker to remotely execute arbitrary PHP code.