██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

WordPress Plugin Lets Subscribers Hijack Admin Accounts

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 29, 2026

Share

cybr.cx | Daily Digest — May 29, 2026


Critical Vulnerabilities

CVE-2026-7802 & CVE-2026-6226 — Frontend Admin by DynamiApps (WordPress) | CVSS 8.8
Two separate privilege escalation flaws affect the same plugin (versions ≤ 3.29.2), and together they're a nasty combination. CVE-2026-7802 lets any authenticated subscriber overwrite an administrator's password, email, or name fields — effectively hijacking admin accounts. CVE-2026-6226 is worse: it requires no authentication at all, allowing attackers to submit arbitrary form definitions via POST to bypass validation and escalate to admin. If you're running this plugin, patch or disable immediately — unauthenticated privilege escalation on a WordPress site is about as bad as it gets.

CVE-2026-9009 — Crawlomatic Multipage Scraper Post Generator (WordPress) | CVSS 8.8
Remote Code Execution via a shortcode attribute passed directly into call_user_func() with no sanitisation or allowlist. Any authenticated user (subscriber and above) can trigger arbitrary PHP execution on the server. The plugin's sole defence — an is_callable() check — is trivially bypassed. Update to 2.7.3 or later; if you can't, disable the plugin entirely until you can.

CVE-2026-9227 — GutenBee Gutenberg Blocks (WordPress) | CVSS 8.8
An arbitrary file upload vulnerability caused by a flawed strpos() check that accepts any filename containing .json rather than ending with it. Double-extension filenames (e.g., shell.php.json) sail straight through. Versions up to 2.20.1 are affected. Exploitable by authenticated users; patch to 2.20.2 or later.

CVE-2026-35671 & CVE-2026-35675 — phpMyFAQ < 4.1.3 | CVSS 8.8 / 8.2
A double-header for phpMyFAQ. CVE-2026-35671 allows any low-privilege admin to escalate to SuperAdmin by simply manipulating the userId parameter in the overwrite-password API — no authorisation verification occurs. CVE-2026-35675 is a full authentication bypass on the password reset endpoint: no token, no email confirmation needed, just a valid username. Together these mean an attacker who enumerates a username can own the entire FAQ platform. Upgrade to 4.1.3.

CVE-2026-49127 — Music Player Daemon (MPD) < 0.24.11 | CVSS 8.6
A stack buffer overflow in the PCM decoder's pcm_unpack_24be function allows unauthenticated attackers to corrupt stack memory via two MPD commands pointing at a malicious HTTP audio source. Off-by-one writes at scale (1,366 entries into a fixed buffer) mean this is likely exploitable for RCE. MPD installations exposed to untrusted networks should be prioritised for the 0.24.11 update.

CVE-2026-6455 — WP Contact Form 7 DB Handler (WordPress) | CVSS 8.1
A missing nonce verification in process_bulk_action() chains three vulnerabilities: CSRF leads to SQL injection leads to PHP object injection, ultimately allowing arbitrary file deletion. The nonce check only fires if _wpnonce is present — omit it and the gate disappears entirely. Versions ≤ 3.0 are affected; no patch was available at time of writing, so consider deactivation.


Headline News

OT Threat Actors Move from Reconnaissance to Hands-on Disruption
Operational technology security researchers are sounding a more urgent alarm: adversaries targeting industrial control systems, SCADA, and OT environments have shifted their operational posture from passive reconnaissance toward active, hands-on-keyboard control of physical systems. The implication is that threat actors who previously mapped OT environments for future leverage are now executing — or preparing to execute — actions with real-world physical consequences, including manipulation of industrial processes. For defenders, this collapses the time between initial access and impact, undermining the assumption that OT intrusions announce themselves slowly. Security teams managing critical infrastructure should treat any OT anomaly as a potential active intrusion rather than a scanning artefact — the window for observation before intervention is narrowing.

Carnival Corporation Discloses April 2026 Data Breach
Carnival Corporation, the world's largest cruise operator, has begun sending breach notification letters to individuals affected by a cybersecurity incident that occurred in April 2026. The disclosure confirms that personal data was compromised, though the company has not publicly specified the scope or nature of the data involved. With Carnival's fleet spanning multiple major brands and loyalty programmes, the potential victim pool is broad — past incidents at the company have involved employee and passenger PII, payment data, and health records. Practitioners should note the roughly four-to-six week gap between incident and notification; affected individuals are likely already in active phishing targeting windows, making downstream credential-stuffing and social engineering campaigns the immediate practical concern.

Supply Chain Attacker's npm Campaign Unravels After Self-Inflicted Token Leak
A threat actor attempting to compromise Claude AI users via a malicious npm package managed to expose their own GitHub private access token in the process — an operational security failure that both burned their infrastructure and provided investigators a clear attribution thread to pull. The attacker apparently relied on AI-assisted "slop" to generate the malicious package code, a pattern that's becoming a recurring footnote in supply chain incidents as low-skill actors lean on LLMs to accelerate development. The incident is a useful reminder that the npm ecosystem remains a soft target and that attacker tradecraft quality is inconsistent — but also that even clumsy supply chain attempts can reach production environments before detection. Blue teams should audit npm dependencies for recently published or updated packages with minimal provenance history, particularly those touching authentication or API credential flows.


Schrödinger's Feed

Lastwall has closed a $16 million Series A extension to expand quantum-resilient identity and authentication infrastructure, backed specifically by a Canadian defence-focused investment fund — a signal that government procurement bodies are beginning to treat post-quantum cryptography migration as a funded defence priority rather than a future roadmap item. The investment targets identity-first architectures built to survive cryptographically-relevant quantum computers, which remains the practical threat model driving PQC adoption: not "quantum computers exist today" but "adversaries are harvesting encrypted traffic now for decryption later." What makes this worth watching is the defence-sector framing — when national security procurement starts writing cheques specifically for PQC resilience, the technology's urgency calculus changes for enterprise security teams too. If you haven't mapped your organisation's long-lived credentials and encrypted data stores against post-quantum exposure, that gap is becoming harder to explain to leadership.


/dev/random

Someone built a 60-second browser game about AI agent permission fatigue — the entire mechanic is a relentless loop of confirmation dialogs asking whether you want to allow an AI agent to do something increasingly mundane or increasingly alarming, with no clear way to distinguish which is which. It's a more effective UX critique than most conference talks on the subject. The uncomfortable joke is that after about 15 seconds, most players reportedly start mashing "Y" on autopilot — which is, of course, the point. It has the energy of a fire drill designed by someone who wants you to actually feel the building burning.