This weekly digest highlights the highest-priority web security events from Oct 3–10, 2025: a mass extortion campaign abusing Oracle E-Business Suite, a critical Redis RCE, and active WordPress theme compromises that use stealth delivery techniques. Read on for plain-language explanations, key indicators, and a prioritized action plan your team can run in the next 24–72 hours.
Read More
We asked several leading AI models what 2026 will bring — from geopolitics and energy to AI and everyday life. Their answers converged on a few clear themes (slower-but-stable growth, faster renewable rollout, tighter AI regulation) and diverged where uncertainty is highest (geopolitical shocks, tech breakthroughs). In this post I compare what the models said, highlight the most credible signals, and outline practical takeaways for readers and decision-makers.
Read More
A critical authentication-bypass vulnerability in the Service Finder “Bookings” plugin/theme (affecting versions up to 6.0) allows unauthenticated attackers to take over accounts — including administrator accounts — on vulnerable WordPress sites. Multiple security researchers and vendors have confirmed active exploitation in the wild. If your site uses the Service Finder theme or bundled Bookings plugin, update to the fixed release immediately (or remove the plugin) and follow the emergency checklist below.
Read More
This article synthesizes current reporting and vendor analysis, explains how these attacks work, gives hard numbers and sources for the load-bearing facts, and provides a practical, prioritized mitigation playbook for ops, security, and web teams.
Read More
Recent high-profile retail security incidents — affecting household names in the UK retail sector — reveal the same recurring root causes: fragile third-party integrations, slow patching and dependency management, excessive access rights, unpracticed incident response, and inconsistent customer communications. These failures are not unique to retail: they show how modern web apps and services can be compromised when processes and defensive hygiene lag behind scale. The practical steps below convert those lessons into a prioritized action plan you can implement this week.
Read More
DeepMind announced CodeMender — an AI-driven system that detects software vulnerabilities and proposes verified fixes. It combines large language models with classical program analysis (fuzzing, static analysis) and a validation pipeline that runs tests and generates candidate patches. DeepMind says CodeMender upstreamed 72 fixes in early trials — a concrete sign the approach can scale.
Read More
CodeMender is a new generation of automated code-repair systems that use advanced language models together with traditional program analysis tools to find, propose, and validate security fixes at scale. For web applications, the approach can dramatically shorten the gap between discovery and remediation for many classes of vulnerabilities — but only when paired with strong validation, clear governance, and human review. This article explains what such an agentic patching system does, how it works, where it helps most in web security, how to pilot it safely, and the practical controls you must put in place.
Read More
In 2025 several high-impact vulnerabilities affecting Adobe Commerce and Magento Open Source were publicly disclosed and patched. The most critical is the so-called SessionReaper (CVE-2025-54236) — an improper input validation flaw in the Web API that can lead to session takeover and, in specific conditions, unauthenticated remote code execution. Adobe released an out-of-band hotfix and urged immediate application. Other important 2025 CVEs include a set of access-control and authorization bugs (several CVE entries), and multiple XSS/authorization issues fixed across release updates. Apply vendor patches immediately and follow the detection checklist below.
In 2025 the WordPress ecosystem continued to produce a large number of security disclosures, with third-party plugins and themes remaining the dominant source of high-impact vulnerabilities. Attackers quickly weaponized several unauthenticated remote code execution, arbitrary file upload and broken-access-control flaws, and exploit campaigns often began within days of disclosure. Industry mitigations such as virtual patching (WAF rules) and vendor “rapid mitigate” systems played a major role in reducing live exploitation while site owners applied official patches. If you manage WordPress sites, the priority remains the same: maintain an accurate inventory; patch high-risk components immediately; remove unused extensions; and combine short-term virtual patches with longer-term hardening and monitoring.
Web attacks remain the most common initial vector in modern incidents. Classic signature and rule-based defenses are necessary, but insufficient: they miss novel patterns, produce high noise, and struggle with complex, multi-step attacks. Neural networks — from autoencoders to graph neural networks and Transformers — bring a contextual, pattern-oriented layer that detects subtle anomalies across time, entities and relationships. When deployed thoughtfully (hybridized with rules, instrumented for explainability, and operated with retraining and feedback loops), NN-driven systems can significantly reduce mean time to detect (MTTD), lower analyst load, and cut false positives.