Open Source Security | Breaking Cybersecurity News | The Hacker News

A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances. The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024. Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. Security researcher stealthcopter, who discovered and reported CVE-2024-6386, said the problem lies in the plugin's handling of shortcodes that are used to insert post content such as audio, images, and videos. "Specifically, the plugin uses Twig templates for rendering content in shortcodes but fails to properly sanitize input, leadi

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk. Regulatory pressure to ensure the integrity of all software components is also ramping up dramatically. Applications are built with an increasing number of open source software (OSS) components and other 3rd party artifacts, each of which can introduce new vulnerabilities to the application. Attackers seek to exploit these components' vulnerabilities, which also puts the software's consumers at risk. Software represents the largest under-addressed attack surface that organizations face. Some interesting statistics to digest: More than 80% of software vulnerabilities are introduced through o

Want to know what's the latest and greatest in SecOps for 2024? Gartner's recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year's report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV). These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders. The Industry is Maturing CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating expo

Last year, there were discussions about Google Code—a platform that lets developers host their projects—being exploited to distribute malware. Research by zScaler has identified yet another instance where this platform has been misused. According to the Google Code site: "Project Hosting on Google Code provides a free collaborative development environment for open source projects. Each project includes its own member controls, Subversion/Mercurial repository, issue tracker, wiki pages, and downloads section. Our hosting service is designed to be simple, fast, reliable, and scalable, enabling you to concentrate on your open source development." The concerning project contained over 50 executable files in its download section. These files, mainly executable and zipped ".rar" files, have been uploaded over the past month, indicating that an attacker is actively using this free service to disseminate malware. VirusTotal results for the first file revealed that only 8