Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Administrative Rights. Show all posts
WordPress
ACF Administrative Rights Plugin Flaw Vulnerabilities and Exploits WordPress

ACF Plugin Flaw Exposes 50,000 WordPress Sites to Admin Takeover

 

A critical vulnerability in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin has exposed around 50,000 sites to potential hacker takeovers. Tracked as CVE-2025-14533, this flaw affects versions up to 0.9.2.1 and allows unauthenticated attackers to gain administrator privileges through flawed user creation forms. Discovered by researcher Andrea Bocchetti and reported via Wordfence on December 10, 2025, the issue was swiftly patched in version 0.9.2.2 just four days later. Despite the quick fix, download stats show many sites remain unpatched, leaving them vulnerable to remote exploitation.

The vulnerability originates in the plugin's 'Insert User / Update User' form action, where role restrictions are not properly enforced. Attackers can exploit this by submitting crafted requests that assign the 'administrator' role, bypassing any configured limitations in field settings.This privilege escalation requires sites to use forms with a 'role' field mapped to custom fields, a common setup for user registration features. Once successful, hackers achieve full site control, enabling data theft, malware injection, or backdoor installation without needing prior access.

ACF Extended, active on over 100,000 WordPress installations, builds on the popular Advanced Custom Fields plugin to offer developers advanced customization tools. Its widespread use amplifies the risk, as roughly half of users have yet to update since the patch release in mid-December 2025. WordPress sites relying on these plugins for dynamic content often overlook such configurations, inadvertently creating attack vectors.

This privilege escalation bug allows attackers to arbitrarily assign the 'administrator' role during user registration or updates, bypassing any configured limitations in field settings. Exploitation requires sites using ACF Extended forms with a 'role' field mapped to custom fields, a common setup for advanced user management in custom themes and plugins. Once exploited, hackers gain full control, enabling them to install malicious code, steal data, or pivot to server-level compromises without needing credentials.

Threat intelligence from GreyNoise reveals aggressive reconnaissance scanning 706 WordPress plugins, including ACF Extended, by nearly 1,000 IPs across 145 ASNs from late October 2025 to mid-January 2026. While no confirmed exploits of CVE-2025-14533 have surfaced, patterns mirror attacks on vulnerabilities like those in Post SMTP and LiteSpeed Cache, signaling imminent danger.This enumeration boom underscores how attackers probe for unpatched flaws before launching mass campaigns.

Site owners must urgently update to ACF Extended 0.9.2.2 or later via the WordPress dashboard and audit forms for role mappings.Additional steps include disabling public registration, reviewing user accounts for anomalies, and deploying firewalls like Wordfence for real-time blocking. In WordPress's vast ecosystem, proactive patching remains the frontline defense against such admin takeovers, preventing potential site-wide devastation.
Read more »
Web Servers
Administrative Rights ALPACA Cyber Attacks Hacking Techniques TLS Certificates Web Servers

NSA: Risks Linked with Wildcard TLS Certificates and ALPACA Techniques

 

The National Security Agency issued a technical alert cautioning businesses against using wildcard TLS certificates and the new ALPACA TLS attack. 

The NSA advised companies to follow the technical recommendations in its alert and safeguard servers against situations in which attackers may obtain access and decrypt encrypted online traffic. 

While several instances and techniques might aid attackers in decrypting TLS-encrypted data, the NSA clearly specified the usage of wildcard TLS certificates, which many researchers have also warned against in the past.

A wildcard certificate is a digital TLS certificate obtained by a company from a certificate authority that allows the owner to apply it to a domain and all of its subdomains simultaneously (*.example.com). Companies have used wildcard certificates for years because they are less expensive and easier to administer, so administrators apply the same certificate to all servers instead of having to manage several certificates. 

The NSA stated, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” 

The agency is now advising administrators of both public and private networks to evaluate the necessity for a wildcard certificate inside their networks and prepare to install individual certificates to isolate and restrict potential breaches. 

About ALPACA attack 

Furthermore, the NSA's alert cautions of the new Application Layer Protocol Content Confusion Attack (ALPACA), which was revealed earlier this summer and is similarly vulnerable due to the usage of wildcard certificates. 

The problem was not taken seriously when it was revealed in June because carrying out an ALPACA attack needed threat actors to be able to intercept web traffic, which is challenging in some circumstances. 

However, the research team that identified the assault stated that over 119,000 web servers were exposed to ALPACA attacks, which is a significant amount. Four months later, the NSA is encouraging companies to take the matter seriously, determine whether their servers are susceptible, and reduce the risk, particularly if the organizations deal with sensitive information or are connected to the US government network. 

On October 7, the NSA stated, “NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques.”
Read more »
Vulnerabilities and Exploits
Administrative Rights Critical Flaw Driver issue Gaming PCs Security Issues Software update Vulnerabilities and Exploits

Millions of HP OMEN Gaming PCs Impacted by Driver Vulnerability

 

On Tuesday, security experts revealed data about a high-severity weakness in the HP OMEN driver software, which affects millions of gaming laptops worldwide and leaves them vulnerable to various cyberattacks. 

The vulnerability is tracked as CVE-2021-3437 with a CVSS score: 7.8. Threat actors may escalate privileges to kernel mode without having administrator rights, enabling them to deactivate security products, overwrite system components, and even damage the operating system. 

The complete list of vulnerable devices includes HP ENVY, HP Pavilion, OMEN desktop gaming systems, and OMEN and HP Pavilion gaming laptops. 

SentinelOne, a cybersecurity firm that identified and communicated the flaw to HP on February 17, claimed it discovered no trace of in-the-wild exploitation. Customers have subsequently received a security update from the company to address the flaw. 

The problems are caused by OMEN Command Center, a pre-installed component on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The program is meant to assist smooth network activity, overclock the gaming PC for quicker computer performance, and monitor the GPU, CPU, and RAM through a vitals dashboard. 

Souce of flaw

According to research shared with The Hacker News by SentinelOne, "The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities." 

"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement." 

HpPortIox64.sys is the driver in issue, and it gets its functionality from OpenLibSys-developed-WinRing0.sys, which was the origin of a local privilege escalation flaw in EVGA Precision X1 software last year (CVE-2020-14979, CVSS score: 7.8). 

In August 2020, researchers from SpecterOps highlighted, "WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation." 

This is the second time WinRing0.sys has been identified as a source of security vulnerabilities in HP products. 

In October 2019, SafeBreach Labs discovered a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which is included with the driver, possibly enabling malicious actors to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass. 

The discovery is the third in a series of security flaws affecting software drivers that SentinelOne has discovered since the beginning of the year. 

Earlier this year, they found a 12-year-old privilege escalation problem in Microsoft Defender Antivirus (previously Windows Defender) that hackers could exploit to acquire admin access on unpatched Windows computers.

And last month, SentinelOne reported on a 16-year-old security flaw discovered in an HP, Xerox, and Samsung printer driver that allows attackers to obtain administrative access to computers running the vulnerable software.
Read more »
Subscribe to: Comments (Atom)