Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: security

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.

The vulnerability in question is CVE-2026–3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13.

“This is due to the Calculation Addon’s process_filter function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval,” Wordfence said.

Cisco Catalyst SD-WAN Manager CVE-2026–20245 Flaw Actively Exploited — No Patch Available

“A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Cisco said in an advisory.

The network security company said the vulnerability is the result of insufficient validation of user-supplied input, which an attacker could exploit by uploading a crafted file to the affected system. This, in turn, could permit the attacker to perform command injection attacks and elevate their privileges as the root user.

“To exploit this vulnerability, the attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or exploitation of CVE-2026–20182 or CVE-2026–20127. Cisco is not aware of successful exploitation by other methods.”

Suspicious Polyfill login prompts pop up on Toshiba, Muji websites

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service.

The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN.

New ‘HTTP/2 Bomb’ DoS attack crashes web servers in under a minute

A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.

The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

Discovered by OpenAI’s Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling.

Acer working to patch max severity zero-days in Wave 7 routers

Acer confirmed that it’s working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.

The first zero-day, a broken access control vulnerability tracked as CVE-2026–49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.

Google adds Android protection against AI deepfake scam calls

Google is introducing a new Android security feature that will detect and flag phone calls in which scammers use artificial intelligence to impersonate a user’s personal contacts.

Called “fake call detection,” the feature is rolling out globally this month to Android 12 and later devices, starting with Pixel devices, and will be enabled by default.

Once activated, it works automatically when both a caller and recipient are using Phone by Google: when a contact places a call, their device sends a silent, encrypted confirmation signal to the recipient’s device in real time.

Instagram users locked out after Meta AI abused to steal accounts

Multiple Instagram users had their accounts hijacked after attackers convinced Meta’s AI-powered support tools that they were the legitimate owners.

In many cases, impacted users are unable to recover access due to the platform’s use of automated assistance that involves only AI/chatbot loops and no human support agents.

On Monday, multiple holders of rare and high-value accounts reported suddenly losing access to their accounts, claiming that their identities had been verified via facial scans and that they had enabled safeguards such as two-factor authentication (2FA).

Critical Kirki flaw exploited to hijack WordPress admin accounts

Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026–8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators.

The attacks were detected by WordPress security firm Defiant, whose Wordfence firewall blocked over 222 attempts against its customers in the past 24 hours.

The full name of the plugin is Kirki — Freeform Page Builder, Website Builder & Customizer. It is a freeform visual builder and advanced theme customizer active on more than 500,000 websites.

/* */