cybr.cx | Daily Digest — May 03, 2026

Critical Vulnerabilities

CVE-2026-2052 — Widget Options Plugin for WordPress (CVSS 8.8)
All versions up to 4.2.2 of the Widget Options plugin are vulnerable to Remote Code Execution via the Display Logic feature. The plugin passes user-supplied expressions directly into eval(), and the blocklist can be bypassed using array_map with string callbacks. Any authenticated user can execute arbitrary PHP code on the server. Patch immediately — RCE via a low-privilege account is about as bad as it gets on a shared hosting environment.

CVE-2026-6963 — WP Mail Gateway Plugin for WordPress (CVSS 8.8)
A missing capability check on the wmg_save_provider_config AJAX action lets any subscriber-level authenticated user overwrite SMTP settings. An attacker can redirect outbound mail — including password reset emails — to an address they control, enabling straightforward account takeover and privilege escalation. If you're running this plugin up to version 1.8, assume your mail routing is untrusted until patched.

CVE-2026-7641 — Import and Export Users and Customers Plugin for WordPress (CVSS 8.8)
Privilege escalation is possible in all versions through 2.0.8 due to an incomplete blocklist in save_extra_user_profile_fields(). The plugin correctly blocks capability meta keys for the primary site but ignores equivalent keys on subsites in a multisite network — allowing attackers to write arbitrary user capabilities on those subsites. Multisite WordPress deployments should treat this as urgent.

CVE-2026-7607 — TRENDnet TEW-821DAP Firmware (CVSS 8.8)
A remotely exploitable buffer overflow exists in the auto_update_firmware function of the TEW-821DAP access point running firmware 1.12B01. The vendor has confirmed no patch will be issued — this hardware was EOL'd eight years ago. If these devices are still sitting on your network, that's the real vulnerability. Replace them.

CVE-2026-7489 — Sunnet CTMS (CVSS 8.8)
Authenticated remote attackers can inject arbitrary SQL commands into Sunnet's Clinical Trial Management System, with full read, modify, and delete access to the underlying database. The authentication requirement raises the bar slightly, but in healthcare environments where credential sharing is common, this is a serious data integrity and confidentiality risk.

CVE-2026-7647 — Profile Builder Pro Plugin for WordPress (CVSS 8.1)
PHP Object Injection is possible in all versions through 3.14.5. The AJAX handler wppb_request_users_pins_action_callback() passes a user-controlled args POST parameter directly into maybe_unserialize() with no nonce verification, type checking, or input sanitisation. Exploitability depends on available gadget chains in the environment, but the complete absence of input validation makes this a priority patch.

Headline News

CopyFail (CVE-2026-31431): Linux Local Privilege Escalation Patched, Exposure Remains Wide
A local privilege escalation vulnerability dubbed CopyFail has been disclosed affecting Linux systems ranging from desktop PCs to data centre servers. The flaw allows an attacker with local access to escalate to root, and the technical write-up confirms that components like iwd and BlueZ — common in both workstations and embedded systems — are within the attack surface, while cryptsetup requires CAP_SYS_ADMIN as a precondition. Patches have been issued upstream, but the realistic patch lag across enterprise Linux fleets, cloud images, and the long tail of IoT and embedded Linux deployments means exposure will persist for months. Defenders should prioritise patching internet-accessible Linux systems and audit where unprivileged local access could be leveraged as a stepping stone.

ShinyHunters Claims NVIDIA GeForce NOW Breach
ShinyHunters — the threat group behind several high-profile data theft operations in recent years — has claimed responsibility for a breach of NVIDIA's GeForce NOW cloud gaming platform. The group alleges access to user data, though the full scope and authenticity of the claimed dataset have not yet been independently verified. GeForce NOW accounts are linked to broader NVIDIA ecosystems and can include payment information, linked platform credentials, and usage telemetry. If confirmed, this follows a pattern of ShinyHunters targeting large consumer platforms for credential harvesting at scale — the data typically surfaces on dark web markets within weeks. Users with GeForce NOW accounts should rotate passwords and check linked third-party credentials as a precaution.

Revisiting the NSA's Mass Surveillance Architecture
A longform retrospective on the NSA whistleblower who first surfaced details of the agency's bulk domestic surveillance infrastructure has resurfaced in security circles, prompting renewed discussion about the technical and legal architecture of mass data collection programs. The piece is a useful reminder that the fundamental tension between signals intelligence capability and civil liberties hasn't been resolved — it's been institutionalised. For practitioners, the relevance is immediate: the same network tap and metadata aggregation techniques described remain foundational to both state-level threat intelligence and the playbooks of sophisticated threat actors who have studied and replicated them. Understanding the architecture helps defenders reason about what visibility adversaries — state or otherwise — may already have on their traffic.

Schrödinger's Feed

Researchers at Argonne National Laboratory and the University of Notre Dame have published a systematic noise characterisation of a novel qubit platform built on single electrons trapped atop frozen neon — an inert noble gas that provides an unusually clean electromagnetic environment. The results, published in Nature Electronics, validate that electron-on-neon qubits exhibit significantly lower noise than many competing architectures, which is one of the key remaining barriers to fault-tolerant quantum computation. Lower noise means fewer error-correction overhead cycles, which translates directly into the computational depth needed to run algorithms like Shor's — the one that breaks RSA and ECC at scale. Practitioners invested in post-quantum migration timelines should watch qubit noise floor improvements closely: the threshold between "academically interesting" and "cryptographically relevant" is a noise and qubit-count problem, and the gap is narrowing.

/dev/random

NetHack 5.0.0 has been released — the first major version bump in the 37-year history of the game that invented the concept of "permadeath" and arguably the concept of "this is fine, I didn't need that character anyway." The changelog is substantial, though veterans will note that the game remains entirely capable of killing you in ways that feel both cosmically unfair and, on reflection, entirely your fault. It's worth noting that a significant portion of the security industry learned to read hex dumps, think adversarially, and develop an unhealthy relationship with RNG variance through exactly this game. Descend responsibly. The Amulet of Yendor awaits.