Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor authentication, and a number of zero day vulnerabilities were patched in Google Chrome and Windows.

A hosting provider exposed 63+ million customer records via an open elastic search database containing exposed username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3, about object injection vulnerabilities like the one discovered in the Welcart e-Commerce plugin, and how POP chain attacks work. And Google's Project Zero finds a high-severity vulnerability in GitHub Actions not fixed within the disclosure grace period.

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on October 30, with a number of sites autoupdating to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2FA could have prevented it. We also look at the implications of a massive Nitro database impacting large organizations. A botnet is targeting a number of content management systems, including WP sites. AdWare is found on the Google Play Store targeting kids.

An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over 1 million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update to fix an actively exploited zero-day vulnerability. And a new feature in Jetpack allows users to post Tweetstorms through WordPress.

This week, we chat about the CSRF vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform. We discuss the benefits of adding application passwords for REST API authentication planned for WordPress version 5.6, and the ramifications of the critical, wormable RCE bug patched by Microsoft.

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users' profiles, and a card skimmer was found on Boom! Mobile's web site, putting customer card data at risk.

Shopify reports that rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers' earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.

Our Threat Intelligence team discovered vulnerabilities in XCloner Backup and Restore, affecting 30K+ sites. CISA is warning of persistent malicious activity connected to LokiBot. An API change will break Facebook & Instagram oEmbed links after October 24. Google has launched the Web Stories for WordPress plugin making full-screen, tappable content possible. Drupal patches a critical reflected XSS vulnerability, & a critical stored XSS vulnerability in Instagram's Spark AR Studio nets a 14-year-old $25,000.

Vulnerabilities were patched in the Discount Rules for WooCommerce plugin installed on 40k+ WordPress sites. Developers from OWASP said ModSecurity v3 is exposed to denial of service exploits, though maintainers of ModSecurity reject that claim. A severe vulnerability in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. A researcher discovered that the Windows TCPIP Finger command can function as a file downloader & a makeshift command & control server.

Millions of attacks have been targeting the recent File Manager plugin vulnerability, and 2 attackers are vying for control over sites compromised through the vulnerability. A security researcher revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks. A database belonging to the Digital Point webmaster forum leaked records of 800k+ members. Visa is warning of a new Baka Javascript credit card skimmer that removes itself from memory after exfiltrating stolen data.