A high-severity authentication bypass in a popular WordPress plugin and a rapidly spreading botnet targeting vulnerable routers demand immediate attention from administrators and home users alike. These threats, combined with active exploitation of industrial control systems, define today’s elevated risk landscape.
Critical WordPress Plugin Vulnerability Enables Account Takeover
The Tutor LMS Pro plugin for WordPress, used by thousands of educational sites, contains a critical authentication bypass vulnerability tracked as CVE-2026-0953. With a priority score of 40/100, this flaw resides in the plugin’s Social Login addon. Attackers can exploit it by submitting a mismatched email address during the OAuth login process, allowing them to log in as any registered user—including administrators—without a password. This vulnerability affects all versions up to and including 3.9.5. Organizations using this plugin must patch immediately or face potential complete site compromise.
C0XMO Botnet Weaponizes DD-WRT Flaw, Eliminates Competition
A new variant of the Gafgyt botnet, dubbed C0XMO, is actively exploiting a vulnerability in DD-WRT router firmware to conscript devices into its distributed denial-of-service (DDoS) army. With a priority score of 33/100, this threat is notable for its multi-architecture capability and aggressive behavior: the malware actively seeks out and terminates competing malware processes on infected devices. The botnet leverages a flaw in the router’s HTTP/UPnP service to gain initial access, often where remote administration is enabled or default credentials remain unchanged. Once established, these compromised routers can launch large-scale attacks while providing attackers with a foothold inside private networks.
Iranian APTs Actively Target Exposed Industrial Control Systems
Iranian-affiliated advanced persistent threat (APT) actors are conducting widespread exploitation campaigns against internet-exposed Programmable Logic Controllers (PLCs) across U.S. critical infrastructure. These attacks, scoring 27/100, specifically target Rockwell Automation/Allen-Bradley PLCs. The actors scan for devices accessible on port 44818 (EtherNet/IP) and exploit known vulnerabilities or weak configurations to gain control. This activity represents a direct threat to operational technology (OT) environments, with potential consequences ranging from operational disruption to physical damage. The advisory emphasizes that many of these critical devices remain directly connected to the internet without adequate firewall protection.
Securing AI Agents and CI/CD Pipelines from Novel Attacks
The integration of AI agents into development workflows introduces new attack vectors. Research detailed a prompt injection pathway in the Claude Code GitHub Action that could expose workflow secrets, highlighting the risks in agentic AI systems. Meanwhile, the weekly Metasploit update included an exploit for a Gogs rebase RCE vulnerability, where attackers can execute commands by naming a branch --exec <command> and requesting a rebase. These developments, each with a 25/100 priority score, underscore the need for rigorous security reviews of AI-powered automation tools and version control systems.
Proactive Defense: Lock Down Endpoints and Validate Third-Party Code
The Silent Ransom Group continues targeting law firms via sophisticated social engineering, often initiating attacks with fake IT support calls. This human-centric threat complements the technical exploits, reminding us that defense must be layered. Simultaneously, the discovery that free smart TV apps are being used as covert web-scraping proxies for AI data collection—via embedded SDKs from companies like Bright Data—illustrates how consumer IoT devices can be repurposed for large-scale data operations without user knowledge.
Organizations must immediately update the Tutor LMS Pro plugin to version 3.9.6 or disable its Social Login addon to close the authentication bypass. All DD-WRT users should apply the latest firmware patches, disable remote administration (WAN access), and change default credentials to prevent botnet infection. For OT security, immediately remove Rockwell Automation PLCs from direct internet access, place them behind firewalls with strict IP allowlists, and update to the latest firmware. Implementing these specific, actionable measures is crucial for mitigating today’s most pressing threats.