██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

WordPress Plugin Flaw Lets Hackers Hijack Any Account

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 21, 2026

Share

cybr.cx Daily Digest — May 21, 2026


Critical Vulnerabilities

CVE-2026-6456 | WordPress Account Switcher Plugin ≤ 1.0.2 | CVSS 8.8
A loose comparison operator (!= vs !==) in the rememberLogin REST API endpoint, combined with a missing non-empty check on the secret value, allows unauthenticated attackers to escalate privileges against any user who has never used the "Remember me" feature — which, statistically, is most users. Update or remove the plugin immediately; this is trivially exploitable.

CVE-2026-7467 | WordPress Read More & Accordion Plugin ≤ 3.5.7 | CVSS 8.8
The RadMoreAjax::importData function places no restriction on which database tables can be written to during an import operation, and performs insufficient validation on imported content. Any authenticated user granted import permissions can abuse this to escalate privileges. Audit who has access to import functionality and patch without delay.

CVE-2026-7522 | WordPress Advanced Database Cleaner – Premium ≤ 4.1.0 | CVSS 8.8
A Local File Inclusion vulnerability via the template parameter allows subscriber-level authenticated users to include and execute arbitrary PHP files on the server. This is a full RCE primitive for anyone with a low-privilege account on the site. Disable the plugin until a patched version is available.

CVE-2026-5200 | WordPress AcyMailing ≤ 10.8.2 | CVSS 8.8
Missing authorisation checks allow subscriber-level users to modify privileged settings within the plugin. Given AcyMailing's prevalence on marketing-heavy WordPress sites, the attack surface is substantial. Patch or restrict REST API access immediately.

CVE-2026-24425 | Twig Template Engine 2.16.x, 3.9.0–3.25.x | CVSS 8.8
A sandbox bypass in Twig's SourcePolicyInterface allows attackers with template rendering access to pass arbitrary PHP callables to sort, filter, map, and reduce filters, defeating sandbox restrictions and achieving arbitrary code execution. Any application that allows user-controlled Twig templates is directly exposed. Upgrade to a patched release and audit template input surfaces.

CVE-2026-43618 | Rsync ≤ 3.4.2 | CVSS 8.1
An integer overflow in the compressed-token decoder allows a malicious rsync sender to trigger an out-of-bounds read, potentially leaking process memory including sensitive credentials or keys. Environments using rsync for automated backups or mirroring — particularly those pulling from untrusted or semi-trusted sources — should treat this as urgent.

CVE-2026-45584 | Microsoft Defender | CVSS 8.1
A heap-based buffer overflow in Microsoft Defender can be triggered by an unauthenticated remote attacker to achieve code execution. The irony of a security product carrying a network-exploitable RCE will not be lost on practitioners. Ensure Defender definitions and platform components are fully updated; Microsoft typically delivers fixes via automatic updates, but verify.

CVE-2025-11954 | WISECP (Sitemio) through 20022026 | CVSS 8.0
A CSRF vulnerability in the WISECP billing and hosting management platform allows attackers to forge requests on behalf of authenticated users. The vendor did not respond to disclosure. If you're running WISECP, enforce CSRF token validation at the WAF layer and review exposure until a vendor patch materialises.


Headline News

GitHub Internal Data Breach
GitHub has disclosed that internal data was accessed without authorisation in a breach affecting its own systems. The scope and nature of the exposed data has not been fully detailed publicly, but any breach of a platform that sits at the centre of global software supply chains warrants serious attention — repository metadata, access tokens, internal credentials, or pipeline configurations could all represent high-value targets. Practitioners who use GitHub for CI/CD, secrets management, or internal tooling should audit their connected integrations, rotate any credentials that touch GitHub's API, and monitor for suspicious OAuth application activity. This is a reminder that even infrastructure providers with sophisticated security postures are targets, and trust in third-party platforms must always be bounded by independent controls.

America's Top Cyber-Defence Agency Exposed Secrets in a Public GitHub Repo
In a case of spectacular institutional irony, a public GitHub repository belonging to a leading US cyber-defence agency was found to contain plaintext passwords, API keys, and tokens — with filenames that made the sensitive content essentially self-advertising. The incident underscores a chronic and well-documented failure mode: security organisations are not immune to the same misconfigurations they warn others about, and secrets sprawl into source control repositories with alarming regularity. For practitioners, this reinforces the case for mandatory pre-commit secret scanning, automated repository auditing, and treating any credential that has ever touched a repository as permanently compromised regardless of whether it was "only there briefly." The exposure also raises legitimate questions about what downstream systems or partner integrations may have been accessible via the leaked credentials.

Microsoft Kills SMS Two-Factor Authentication
Microsoft is formally deprecating SMS-based two-factor authentication across its consumer and enterprise platforms, pushing users toward passkeys and verified email as replacements. SMS MFA has long been the security community's least favourite concession to usability — SIM-swapping, SS7 interception, and real-time phishing proxies have made it a progressively weaker control, and Microsoft's public acknowledgement that it has become "a leading source of fraud" is a notable inflection point from a vendor with hundreds of millions of accounts. For security teams, this is useful organisational ammunition: if you're still fighting internal battles to deprecate SMS MFA in your own environments, Microsoft's move provides a credible reference point. The migration path to passkeys has matured considerably, and resistance to the transition is increasingly difficult to justify on technical grounds.


Schrödinger's Feed

The quantum hardware story of the moment is the milestone of achieving single-photon quantum control over a molecular qubit — a development that pushes quantum coherence into territory where individual photons serve as the control mechanism, with implications for both computing fidelity and quantum communication. Molecular qubits are attractive because they can be chemically engineered with precision, potentially enabling large-scale qubit arrays that are more manufacturable than some competing architectures. From a cryptographic standpoint, advances in qubit control fidelity and scalability directly tighten the timeline for quantum systems capable of running Shor's algorithm at scale against real-world key sizes. Practitioners who haven't begun auditing their cryptographic estate for post-quantum readiness should note that hardware is no longer the distant bottleneck it once appeared to be.


/dev/random

An OpenAI model has formally disproved a longstanding conjecture in discrete geometry — a branch of mathematics concerned with combinatorial properties of geometric objects — a domain where human mathematicians have been quietly stuck for years. The model didn't just find a counterexample by brute force; by most accounts it reasoned through the problem in a way that's left researchers genuinely surprised. It's philosophically unsettling in the best possible way: mathematics was supposed to be the last redoubt of pure human reasoning, and here we are. At minimum, it's a useful reminder that "AI can't do real creative work" is a claim with an increasingly short shelf life.