he foundation of the online travel industry is facing a severe test. Security researchers have uncovered a cluster of critical vulnerabilities in the widely-used WP Travel Engine plugin, creating a clear and present danger for over 20,000 websites.
Read More
Security teams recently uncovered a coordinated campaign that used hundreds of small npm packages and the unpkg CDN as a free hosting layer for credential-phishing redirects. The operation published dozens of randomized “redirect-xxxxxx” packages and generated tailored HTML files that, when opened by a victim, immediately forwarded them to credential-collection pages with their email pre-filled. According to Socket’s investigation and earlier work by Safety, the set totals roughly 175 malicious npm packages with around 26,000 recorded downloads and infrastructure targeting 135+ organizations.
Read More
This weekly digest highlights the highest-priority web security events from Oct 3–10, 2025: a mass extortion campaign abusing Oracle E-Business Suite, a critical Redis RCE, and active WordPress theme compromises that use stealth delivery techniques. Read on for plain-language explanations, key indicators, and a prioritized action plan your team can run in the next 24–72 hours.
Read More
We asked several leading AI models what 2026 will bring — from geopolitics and energy to AI and everyday life. Their answers converged on a few clear themes (slower-but-stable growth, faster renewable rollout, tighter AI regulation) and diverged where uncertainty is highest (geopolitical shocks, tech breakthroughs). In this post I compare what the models said, highlight the most credible signals, and outline practical takeaways for readers and decision-makers.
Read More
A critical authentication-bypass vulnerability in the Service Finder “Bookings” plugin/theme (affecting versions up to 6.0) allows unauthenticated attackers to take over accounts — including administrator accounts — on vulnerable WordPress sites. Multiple security researchers and vendors have confirmed active exploitation in the wild. If your site uses the Service Finder theme or bundled Bookings plugin, update to the fixed release immediately (or remove the plugin) and follow the emergency checklist below.
Read More
This article synthesizes current reporting and vendor analysis, explains how these attacks work, gives hard numbers and sources for the load-bearing facts, and provides a practical, prioritized mitigation playbook for ops, security, and web teams.
Read More
Recent high-profile retail security incidents — affecting household names in the UK retail sector — reveal the same recurring root causes: fragile third-party integrations, slow patching and dependency management, excessive access rights, unpracticed incident response, and inconsistent customer communications. These failures are not unique to retail: they show how modern web apps and services can be compromised when processes and defensive hygiene lag behind scale. The practical steps below convert those lessons into a prioritized action plan you can implement this week.
Read More
DeepMind announced CodeMender — an AI-driven system that detects software vulnerabilities and proposes verified fixes. It combines large language models with classical program analysis (fuzzing, static analysis) and a validation pipeline that runs tests and generates candidate patches. DeepMind says CodeMender upstreamed 72 fixes in early trials — a concrete sign the approach can scale.
Read More
CodeMender is a new generation of automated code-repair systems that use advanced language models together with traditional program analysis tools to find, propose, and validate security fixes at scale. For web applications, the approach can dramatically shorten the gap between discovery and remediation for many classes of vulnerabilities — but only when paired with strong validation, clear governance, and human review. This article explains what such an agentic patching system does, how it works, where it helps most in web security, how to pilot it safely, and the practical controls you must put in place.
Read More
In 2025 several high-impact vulnerabilities affecting Adobe Commerce and Magento Open Source were publicly disclosed and patched. The most critical is the so-called SessionReaper (CVE-2025-54236) — an improper input validation flaw in the Web API that can lead to session takeover and, in specific conditions, unauthenticated remote code execution. Adobe released an out-of-band hotfix and urged immediate application. Other important 2025 CVEs include a set of access-control and authorization bugs (several CVE entries), and multiple XSS/authorization issues fixed across release updates. Apply vendor patches immediately and follow the detection checklist below.