The period of June 20-21, 2026 revealed a concentrated threat landscape dominated by critical authentication bypass vulnerabilities in WordPress ecosystem plugins and payment processing systems, alongside persistent botnet activity targeting IoT infrastructure. Fourteen CVEs were published with four rated CRITICAL (9.8 CVSS), primarily affecting WordPress plugins and content management systems. These vulnerabilities enable unauthenticated remote code execution and administrative access takeover, representing immediate organizational risk.
Malware distribution activity centered on Mozi and Mirai botnet variants, with 50 malicious URLs identified distributing IoT-targeted payloads across compromised infrastructure in Asia-Pacific regions. ClearFake malware campaigns continued operations through typosquatted domains, while emerging Sliver C2 and ConnectWise abuse indicates adversary tooling diversification. The concentration of unauthenticated RCE vulnerabilities in widely-deployed WordPress plugins, combined with active botnet infrastructure, creates conditions for rapid widespread exploitation.
Immediate action required: patch all WordPress installations and review authentication mechanisms in web-facing applications. Organizations using AVideo, WooCommerce, Flowise, or affected WordPress plugins should prioritize emergency patching. Network defenders should implement behavioral detection for botnet command-and-control patterns and monitor for exploitation attempts against newly disclosed CVEs.
Four CRITICAL-severity CVEs enable unauthenticated remote code execution and authentication bypass in widely-deployed WordPress plugins and web applications
Flowise before 2.1.4 allows attackers to inject arbitrary configuration into Chainflow execution via overrideConfig option. This feature is enabled by default with no allowlist, permitting unauthenticated remote code execution through both frontend and backend Prediction API interfaces.
WooCommerce 7.1.0 contains RCE vulnerability allowing attackers to execute arbitrary PHP code by injecting shell commands through unsanitized product-type parameter in class-wc-meta-box-product-images.php endpoint.
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 allows unauthenticated attackers to gain administrative access by exploiting social media login form functionality via crafted POST requests to admin-ajax.php with uabb-lf-google-s parameter.
Branda plugin for WordPress up to 3.4.29 fails to properly validate user identity before password updates, enabling unauthenticated attackers to change arbitrary user passwords and achieve account takeover with administrative privileges.
AVideo through 29.0 contains authorization bypass in Meet plugin's uploadRecordedVideo.json.php endpoint. Attackers with knowledge of Meet shared secret can craft malicious file uploads with manipulated users_id derived from filenames without verification.
AVideo through version 26.0 exposes multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks. Attackers can retrieve PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records including customer agreements.
vLLM versions 0.10.2 to 0.13.0 missing sparse tensor validation in multimodal embeddings processing. Attackers can submit crafted embedding requests with malformed tensor indices (negative or out-of-bounds) when PyTorch sparse tensor invariant checks are disabled by default.
WordPress Time Capsule Plugin 1.21.16 allows unauthenticated attackers to gain administrative access via crafted POST request with IWP_JSON_PREFIX header, enabling acquisition of valid administrator session cookies and full site compromise.
Three HIGH-severity vulnerabilities in WordPress plugins enable unauthenticated arbitrary file deletion and modification, risking site defacement and data destruction
Simple File List plugin for WordPress up to 6.3.7 vulnerable to arbitrary file modification due to insufficient authorization checks. Unauthenticated attackers can delete and modify files on the server, enabling site compromise and data manipulation.
Simple File List plugin for WordPress up to 6.3.7 contains arbitrary file deletion vulnerability in eeSFL_DeleteFile function due to insufficient file path validation. Unauthenticated attackers can delete arbitrary files including critical WordPress core files and backups.
Database for Contact Form 7, WPforms, Elementor forms plugin up to 1.5.1 vulnerable to arbitrary file deletion in view_page function. Insufficient file path validation enables unauthenticated attackers to delete arbitrary files, potentially destroying databases and configuration files.
Capgo platform contains scope escalation, account takeover, and information disclosure vulnerabilities enabling privilege escalation and organization enumeration
Capgo before 12.128.2 allows app-limited API keys to mint unrestricted keys via POST /functions/v1/apikey endpoint by setting empty limits. Attackers with compromised app-limited key can create unrestricted keys with org-wide access to all resources and administrative functions.
Capgo before 12.128.12 allows authenticated users to modify public.users.email to arbitrary addresses. SSO provisioning endpoint trusts this as account-merge key, enabling attackers to pre-position accounts with victim's corporate SSO email and hijack accounts during first SSO login.
Capgo before 12.128.2 exposes Supabase PostgREST RPC endpoints is_trial_org and is_paying_org allowing unauthenticated attackers to enumerate organizations and disclose billing status using public sb_publishable key for targeted attacks and competitive intelligence gathering.
Persistent botnet activity targeting IoT devices with 50 malicious URLs distributing Mozi and Mirai variants across compromised Asian infrastructure
35+ malicious URLs distributing Mozi botnet payloads targeting MIPS and ARM architectures. Distribution nodes concentrated in Asia-Pacific IP ranges (115.x.x.x, 182.x.x.x, 219.x.x.x, 125.x.x.x) serving ELF binaries via HTTP on high-numbered ports. Indicates compromised router and IoT device infrastructure.
Multiple Mirai variant payloads distributed via URLs targeting ARM and MIPS architectures. Distribution includes multi-architecture payloads (x86, ppc, spc, arm6, mips) from 87.121.79.223 indicating professional botnet operation. Payloads identified with ua-wget user-agent patterns.
Seven ClearFake malware distribution URLs identified using typosquatted domains (sigaribetkade.com, tahlilsazeha.xyz, tafsirnasiri.xyz, taktikbetkade.com, winenfejar.com, riyaziyattajrobi.xyz) with UUID-based tracking parameters. HTTPS distribution indicates SSL certificate abuse for malware delivery.
Emerging use of legitimate remote management tools and C2 frameworks for malicious operations
Sliver C2 framework payload (test.exe) distributed from 91.92.240.109. Sliver is an open-source cross-platform adversary emulation/red team framework increasingly adopted by threat actors for post-exploitation and command-and-control operations.
Two URLs (91.92.242.6) distributing ConnectWise ScreenConnect client executables (support.client.exe, ScreenConnect.ClientSetup.exe). Legitimate remote management software being weaponized for persistent access and lateral movement in compromised environments.