Intelligence Feed
Avada Builder WordPress plugin flaws allow site credential theft
BleepingComputer
15 May 2026
SEV 7/10
Avada Builder WordPress plugin flaws allow site credential theft Home News Security Avada Builder WordPress plugin flaws allow site credential theft Bill Toulas May 15, 2026 11:56 AM Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server. The other security issue received the identifier CVE-2026-4798 and is an SQL injection that can be leveraged without authentication.
Microsoft warns of Exchange zero-day flaw exploited in attacks
BleepingComputer
15 May 2026
SEV 6/10
Microsoft warns of Exchange zero-day flaw exploited in attacks Home News Microsoft Microsoft warns of Exchange zero-day flaw exploited in attacks Sergiu Gatlan May 15, 2026 05:40 AM On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026-42897) as a spoofing vulnerability affecting up-to-date Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software. While patches aren't yet available to permanently fix the vulnerability, the company added that the Exchange Emergency Mitigation Service (EEMS) will provide automatic mitigation for Exchange Server 2016, 2019, and SE on-premises servers.