WordPress Plugin Flaw Lets Contributors Execute Remote Code
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 31, 2026
cybr.cx | Daily Digest — May 31, 2026
Critical Vulnerabilities
CVE-2026-7465 | WordPress Spectra Gutenberg Blocks Plugin | CVSS 8.8
Authenticated attackers with Contributor-level access or higher can achieve Remote Code Execution on WordPress sites running Spectra Gutenberg Blocks 2.19.25 and below. The attack requires embedding a two-block payload in post content — a low bar for any contributor account. If your WordPress environment allows untrusted users to create posts, patch or disable this plugin immediately.
CVE-2026-10119 / 10120 / 10121 / 10122 / 10123 | TRENDnet TEW-432BRP | CVSS 8.8
Five separate stack-based buffer overflows have been publicly disclosed across multiple goform handlers in the TRENDnet TEW-432BRP router (firmware 3.10B20), affecting functions handling MAC filters, firewall rules, URL filters, protocol filters, and domain filters. All are remotely exploitable, all have public exploits, and the vendor's response is effectively: the device reached EOL in 2009 — you're on your own. If this hardware is anywhere in your network (it shouldn't be), replace it now.
CVE-2026-10124 | Shibby Tomato up to 1.28 | CVSS 8.8
A stack-based buffer overflow in the rip_zebra_read_ipv4 function within Shibby Tomato's ripd daemon is remotely exploitable via the Zserv handler. A public exploit is already circulating. This project was superseded by FreshTomato years ago — if you're still running Shibby Tomato, treat it as fully compromised and migrate.
CVE-2018-25409 | SIM-PKH 2.4.1 | CVSS 8.8
A freshly documented (but ancient) arbitrary file upload vulnerability in SIM-PKH allows authenticated attackers to upload PHP files through the fupload parameter and execute them as web scripts via the aksi_pengurus.php endpoint. That a 2018-era bug is only now getting a CVE assignment suggests it may still be lurking in production deployments — check your exposure.
Headline News
Vim Arbitrary Code Execution via Python Omni-Completion
A medium-severity arbitrary code execution vulnerability has been disclosed in Vim, triggered through Python omni-completion — a feature many developers have enabled without a second thought. The flaw falls under improper control of code generation, meaning crafted content in a file being edited could execute attacker-controlled code when a user triggers completion. A CVE has been requested but not yet assigned. The risk is contextual but real: developers routinely open untrusted files, third-party repos, or copy-pasted snippets in Vim, making this a credible vector in software supply chain or social engineering scenarios. Patch availability is pending; in the meantime, disabling Python omni-completion (set omnifunc=) is a reasonable precaution.
Microsoft Threatens Researcher Over Zero-Day Disclosure
Microsoft is drawing sharp criticism from the security community after reportedly threatening a vulnerability researcher with a criminal investigation following a zero-day disclosure Microsoft characterised as "uncoordinated." The researcher, apparently frustrated with the company's response to a submitted bug, faced what is being described as an intimidation campaign rather than good-faith engagement. The incident cuts to a persistent tension in vulnerability research: vendors hold enormous leverage over researchers, and the threat of legal action — even when ultimately hollow — has a documented chilling effect on disclosure. For practitioners, this serves as a reminder that responsible disclosure programs are only as trustworthy as the vendor behind them, and that researchers operating without legal counsel or institutional backing remain exposed. The security community's reaction has been swift and largely unsympathetic toward Microsoft.
LLM Agents Benchmarked on Real-World CVE Patching
CVE-Bench, a new framework for testing large language model agents against real-world vulnerability patches, is gaining traction among both researchers and red teamers. The project evaluates whether LLMs can autonomously understand, reproduce, and patch CVE-class vulnerabilities — a capability with obvious dual-use implications. As AI-assisted exploitation becomes an increasingly credible threat model, tools like this help the defensive community understand the actual ceiling of automated attack capability. Practitioners building detection or patch-prioritisation pipelines should pay attention: the gap between "LLM can write exploit PoC" and "LLM can autonomously patch at scale" is narrowing, and the benchmarks are starting to prove it.
Schrödinger's Feed
Stanford researchers have stabilised a previously unobserved crystal phase at room temperature by stacking custom-designed silver nanoparticles — and the resulting material exhibits promising quantum properties without requiring extreme cooling. That last part is the headline: most quantum hardware today demands temperatures approaching absolute zero, making it expensive, fragile, and operationally impractical at scale. A material that sustains coherent quantum behaviour at room temperature would dramatically lower the barrier to practical quantum computing deployment. Practitioners invested in post-quantum cryptography timelines should note that hardware breakthroughs like this — if they hold up to replication — compress the window between "theoretical quantum threat" and "operational quantum adversary."
/dev/random
OpenRouter, the AI model aggregation platform that lets developers route requests across dozens of LLMs through a single API, has raised $113M in a Series B round. For those unfamiliar, it's essentially a load balancer for AI models — which is either elegant infrastructure or a single point of failure for everyone's AI-dependent applications, depending on your threat model. Security teams still auditing which LLM endpoints their developers are quietly calling should probably add "and which routers those calls pass through" to that checklist. One API key to route them all.