Security News

Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems. PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar.

PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions. CVE-2022-24663 - Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the 'shortcode' parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.

A critical severity vulnerability in the Samba platform could allow attackers to gain remote code execution with root privileges on servers. Samba is an interoperability suite that allows Windows and Linus/Unix-based hosts to work together and share file and print services with multiplatform devices on a common network, including SMB file-sharing.

Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.

Exploit broker Zerodium has announced a pay jump to 400,000 for zero-day vulnerabilities that allow remote code execution in Microsoft Outlook email client. Zerodium's regular bounty for RCE vulnerability in Microsoft Outlook for windows is $250,000, expected to be "Accompanied by a fully functional and reliable exploit."

Researchers have discovered two critical bugs in Control Web Panel - a popular web hosting management software used by 200K+ servers - that could allow for remote code execution as root on vulnerable Linux servers. CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments.

Successful exploitation can let remote unauthenticated attackers execute code as the 'nobody' user in compromised SonicWall appliances. "There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible," the company said in December after releasing CVE-2021-20038 security updates adding that it found no evidence the bug was exploited in the wild at the time.

There's a dangerous remote-code execution bug in the Dark Souls video game that could let attackers brick the PCs of online players. The main problem is with Dark Souls III, but the remote code-execution vulnerability also affects earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.

Bandai Namco has deactivated the online PvP mode for the Dark Souls role-playing game, taking its servers offline to investigate reports about a severe security issue that may pose a risk to players. The issue became widely known on Saturday in a post on Discord clarifying that the game developer received details about the RCE vulnerability in a responsible disclosure report straight from the person who discovered it.

Researchers have disclosed details of two critical security vulnerabilities in Control Web Panel that could be abused as part of an exploit chain to achieve pre-authenticated remote code execution on affected servers. Tracked as CVE-2021-45467, the issue concerns a case of a file inclusion vulnerability, which occurs when a web application is tricked into exposing or running arbitrary files on the web server.