Hubway: Web Design Byron Bay

05/11/2025

Be careful what you plug-in to the back end of your website. Keep software up to date. Make sure to have Wordfence security installed to prevent malicious code ex*****on. Upgrade to premium for daily updates and realtime hacker IP blocking.

100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin

https://www.wordfence.com/blog/2025/11/100000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-ai-engine-wordpress-plugin/

On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations.

This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to the MCP and execute various commands like ‘wp_update_user’, allowing them to escalate their privileges to administrators by updating their user role.

Please note that this vulnerability only critically affects users who have enabled the ‘No-Auth URL’ in the MCP settings, which is disabled by default.

Props to Emiliano Versini who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was disclosed to our program just one day after it was introduced.

This researcher earned a bounty of $2,145.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.

We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.

We provided full disclosure details to Jordy Meow instantly through our Wordfence Vulnerability Management Portal on October 14, 2025. The developer released the patch on October 19, 2025. We would like to commend Jordy Meow for their prompt response and timely patch.

We would like to draw attention to the fact that for those who have enabled this setting, the bearer token may have been exposed on their websites. This means that the only secure solution is to rotate the token, so we recommend performing this action immediately.

We urge users to update their sites with the latest patched version of AI Engine, version 3.1.4 at the time of this publication, and change the token in the settings page, as soon as possible.

03/11/2025

Update SMTP plugin, make sure you have Wordfence enabled, upgrade to premium.

https://www.facebook.com/100063616506927/posts/1462768182520385/?mibextid=rS40aB7S9Ucbxw6v

400,000 WordPress Sites Affected by Account Takeover Vulnerability in Post SMTP WordPress Plugin

https://www.wordfence.com/blog/2025/11/400000-wordpress-sites-affected-by-account-takeover-vulnerability-in-post-smtp-wordpress-plugin/

On October 11th, 2025, we received a submission for an Account Takeover via Email Log Disclosure vulnerability in Post SMTP, a WordPress plugin with more than 400,000 active installations.

This vulnerability makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, which allows them to take over the account and the website.

Our data indicates that attackers have already started targeting this vulnerability as early as November 1st, 2025, with over 4,500 attacks already blocked.

Props to netranger who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program.

This vulnerability was disclosed to our program just one day after it was introduced. This researcher earned a bounty of $7,800.00 for this discovery.

Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program.

We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025.

Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.

We provided full disclosure details to the WP Experts team instantly through our Wordfence Vulnerability Management Portal on October 15, 2025.

The vendor released the patch on October 29, 2025. We would like to commend the WP Experts team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Post SMTP, version 3.6.1 at the time of this publication as soon as possible as active exploitation has already started and we expect the campaign to pick up soon.

29/10/2025

“make sure Wordfence is running and up to date”

The Wordfence Threat Intelligence Team recently discovered a sophisticated malware campaign targeting WordPress e-commerce sites, specifically those using the WooCommerce plugin. This malware exhibits advanced features including custom encryption methods, fake images used to conceal malicious payloa...

15/10/2025

Let me know if you need Slider Revolution plugin updated. Even the free version of WordFence protects from this exploit. I sell the Premium WordFence upgrade (discounted) for those who prefer more security.

01/09/2025

This page is back!
That was so weird. FB deactivated a bunch of pages without any notice that I'm aware of. The path to reactivate was very difficult to find. Help me keep this aspiration alive by reacting and comment.

01/09/2025

Vibe Coding with AI
This Thursday. Tickets limited
https://lu.ma/39xlkklg?tk=drGzWa

Byron Design Thinking and Create Art Studio team up for a night that dives deep into Vibe Coding. What it is, what’s possible, and what it means for designers,…

24/07/2025

I love the Simple Shopping Cart and it has gradually provided more useful features. Back in March it was the off line payment instruction option. Now they have introduced the variable product feature. For example you could add variables such as size, colour, version etc to a standard product and the variable price differences.

Let me know if you would like assistance with applying a Simple Shopping Cart on your WordPress website :)

The Simple Shopping Cart plugin has a very simple variation setup feature. You can use Variation Control to design products as shown in the following screenshot. Shortcode Parameter for Product Variation To apply variation control to your product, utilize the 'var1', 'var2', 'var3' parameters in the...

17/07/2025

I highly recommend Wordfence Security website firewall plugin. There is a free version with delayed updates and a premium version with daily updates. I can assist with setup with the premium upgrade at a significant discount.

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,20...

20/04/2025

At 7pm NSW time there was a server problem for websites served from US servers of ICDSoft. This occurred during a maintenance period. By 7:07pm the websites returned to normal operation. My apology to my web hosting clients who experienced website down time.

04/03/2025

Simple Shopping Cart for online web orders just added a new feature: offline manual checkout option.

Let me know if you would like assistance setting this up on your WordPress website. (Six of my clients are using this plugin.)

The Manual/Offline Checkout feature in the Simple Shopping Cart plugin allows customers to complete their purchases without making an online payment at checkout. Instead, they can place an order and manually arrange payment through offline methods such as bank transfers, cash on delivery, or other c...

21/11/2024

ICDSoft: Reliable web hosting with amazing support.
So good, I’ve been with the company since 2001.
I’ve tried others & transferred many websites over.
Nothing compares to ICDSoft; quality over quantity.

18/11/2024

Get Quality WordPress Web Hosting

Highly popular WordPress web hosting +50k users.
⭐️⭐️⭐️⭐️⭐️ 5 stars, 553 out of 558 reviewers!
Includes many of the top features others charge $$$.

November Special 20% off 1st yr & transfer.
That's 20% off already great value regular rates.

Contact Jason 0408369001