Archive snapshot

Thu, Apr 09 · 12:00 PM CDT

Archived briefing content rendered inside the ACSP site experience.

Back to archive

Archived briefing

Snapshot overview

Generated Thu, Apr 09 · 12:00 PM CDTWindow last 6 hours

Top line

Coverage now updates on a rolling 6-hour window, while NVD entries come from the live API using a last-24-hours modified window and are sorted by severity.

Fast take

News stays on the current 6-hour slice, videos now use the last 24 hours, and NVD uses the API instead of the traditional feed to better match the live site behavior.

Top stories

8

Worth skimming

0

Tracked videos

2

NVD vulnerabilities

25

Top stories

Thu, 09 Apr 2026 21:53:00 +0530

UAT-10362 Targets Taiwanese NGOs with LucidRook Malware in Spear-Phishing Campaigns

9.4/10 · Must read/watch

The Hacker Newsmalwareaipolicy

Summary
A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook. "LucidRook i

Open article ↗

Thu, 09 Apr 2026 16:45:00 +0530

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

9.4/10 · Must read/watch

The Hacker Newsvulnai

Summary
Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophistic

Open article ↗

Thu, Apr 09 · 12:00 PM CDT

Bitcoin Depot Reports $3.6m Crypto Theft After System Breach

9.0/10 · Must read/watch

Infosecurity Magazinegeneral

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Thu, 09 Apr 2026 12:26:50 +0000

Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access

8.9/10 · Worth your time

SecurityWeekaiidentity

Summary
Dozens of such keys can be extracted from apps’ decompiled code to gain access to all Gemini endpoints. The post Google API Keys in Android Apps Expose Gemini Endpoints to Unauthorized Access appeared first on SecurityWeek .

Open article ↗

Thu, Apr 09 · 12:00 PM CDT

Middle East Hack-for-Hire Operation Traced to South Asian Cyber Espionage Group

8.6/10 · Worth your time

Infosecurity Magazinegeneral

Summary
Collected from the Infosecurity Magazine news page during the latest run.

Open article ↗

Thu, 09 Apr 2026 17:01:00 +0530

The Hidden Security Risks of Shadow AI in Enterprises

8.6/10 · Worth your time

The Hacker Newsai

Summary
As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility

Open article ↗

Thu, 09 Apr 2026 13:43:07 +0000

Apple Intelligence AI Guardrails Bypassed in New Attack

8.6/10 · Worth your time

SecurityWeekai

Summary
RSAC researchers hacked Apple Intelligence using the Neural Exect method and Unicode manipulation. The post Apple Intelligence AI Guardrails Bypassed in New Attack appeared first on SecurityWeek .

Open article ↗

Thu, 09 Apr 2026 13:30:00 +0000

Can we Trust AI? No – But Eventually We Must

8.6/10 · Worth your time

SecurityWeekai

Summary
From hallucinations and bias to model collapse and adversarial abuse, today’s AI is built on probability rather than truth, yet enterprises are deploying it at speed without fully understanding the risks. The post Can we Trust AI? No – But Eventually We Must a

Open article ↗

Worth skimming

Nothing surfaced yet.

Videos worth watching

Thu, Apr 09 · 08:00 AM CDT

HUGE AI-powered Microsoft Account phishing campaign

8.8/10 · Worth your time

YouTube / John Hammondai

Why it matters
Recent creator upload with some page-level evidence. Better than raw feed discovery, but still not a full content review.

Worth watching?Maybe — good candidate if the title matches your interests, but confidence is still moderate.

Confidencelow

Open article ↗

Wed, Apr 08 · 12:43 PM CDT

robots take over the world or something i guess idk

7.6/10 · Worth your time

YouTube / John Hammondgeneral

Why it matters
Recent creator upload with some page-level evidence. Better than raw feed discovery, but still not a full content review.

Worth watching?Maybe — good candidate if the title matches your interests, but confidence is still moderate.

Confidencelow

Open article ↗

NVD vulnerabilities

Wed, Mar 23 · 08:15 PM CDT

CVE-2022-0888

9.8/10 · Must read/watch

NVDvuln

Summary
The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to

CVECVE-2022-0888

SeverityCRITICAL

TypeUPDATED

PublishedWed, Mar 23 · 08:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Tue, Apr 19 · 09:15 PM CDT

CVE-2022-0992

9.8/10 · Must read/watch

NVDvuln

Summary
The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful con

CVECVE-2022-0992

SeverityCRITICAL

TypeUPDATED

PublishedTue, Apr 19 · 09:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Tue, May 10 · 08:15 PM CDT

CVE-2022-1453

9.8/10 · Must read/watch

NVDvuln

Summary
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions

CVECVE-2022-1453

SeverityCRITICAL

TypeUPDATED

PublishedTue, May 10 · 08:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Tue, May 10 · 08:15 PM CDT

CVE-2022-1505

9.8/10 · Must read/watch

NVDvuln

Summary
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in

CVECVE-2022-1505

SeverityCRITICAL

TypeUPDATED

PublishedTue, May 10 · 08:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jun 13 · 02:15 PM CDT

CVE-2022-1768

9.8/10 · Must read/watch

NVDvuln

Summary
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficient escaping and parameterization on user supplied data passed to multiple SQL queries in the ~/rsvpmaker-email.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the databas

CVECVE-2022-1768

SeverityCRITICAL

TypeUPDATED

PublishedMon, Jun 13 · 02:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2437

9.8/10 · Must read/watch

NVDvuln

Summary
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a PHAR wrapper that will deserialize the data

CVECVE-2022-2437

SeverityCRITICAL

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Thu, Nov 10 · 04:15 PM CST

CVE-2022-45063

9.8/10 · Must read/watch

NVDvuln

Summary
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.

CVECVE-2022-45063

SeverityCRITICAL

TypeUPDATED

PublishedThu, Nov 10 · 04:15 PM CST

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Fri, Oct 28 · 07:15 PM CDT

CVE-2022-3708

9.6/10 · Must read/watch

NVDvuln

Summary
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbi

CVECVE-2022-3708

SeverityCRITICAL

TypeUPDATED

PublishedFri, Oct 28 · 07:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jun 13 · 02:15 PM CDT

CVE-2022-1749

8.8/10 · Worth your time

NVDvuln

Summary
The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.

CVECVE-2022-1749

SeverityHIGH

TypeUPDATED

PublishedMon, Jun 13 · 02:15 PM CDT

ModifiedWed, Apr 08 · 05:16 PM CDT

Open article ↗

Mon, Jun 13 · 01:15 PM CDT

CVE-2022-1900

8.8/10 · Worth your time

NVDvuln

Summary
The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged reque

CVECVE-2022-1900

SeverityHIGH

TypeUPDATED

PublishedMon, Jun 13 · 01:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-1912

8.8/10 · Worth your time

NVDvuln

Summary
The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web

CVECVE-2022-1912

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jun 13 · 01:15 PM CDT

CVE-2022-1918

8.8/10 · Worth your time

NVDvuln

Summary
The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0. This is due to missing nonce validation on the plugin_toolbar_comparte page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts v

CVECVE-2022-1918

SeverityHIGH

TypeUPDATED

PublishedMon, Jun 13 · 01:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Mon, Jun 13 · 02:15 PM CDT

CVE-2022-1969

8.8/10 · Worth your time

NVDvuln

Summary
The Mobile browser color select plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the admin_update_data() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via for

CVECVE-2022-1969

SeverityHIGH

TypeUPDATED

PublishedMon, Jun 13 · 02:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2001

8.8/10 · Worth your time

NVDvuln

Summary
The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web

CVECVE-2022-2001

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2039

8.8/10 · Worth your time

NVDvuln

Summary
The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupporti_settings() function found in the ~/livesupporti.php file. This makes it possible for unauthenticated attackers to inject malici

CVECVE-2022-2039

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2233

8.8/10 · Worth your time

NVDvuln

Summary
The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the pabc_admin_slides_postback() function found in the ~/admin/admin.php file. This makes it possible for unauthenticated attackers to inject malicious web

CVECVE-2022-2233

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2434

8.8/10 · Worth your time

NVDvuln

Summary
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an

CVECVE-2022-2434

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 05:16 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2435

8.8/10 · Worth your time

NVDvuln

Summary
The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web s

CVECVE-2022-2435

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 05:16 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2436

8.8/10 · Worth your time

NVDvuln

Summary
The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize t

CVECVE-2022-2436

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2443

8.8/10 · Worth your time

NVDvuln

Summary
The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions() function found in the ~/freemind-wp-browser.php file. This makes it possible for unauthenticated attackers to inject malicious w

CVECVE-2022-2443

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Mon, Jul 18 · 05:15 PM CDT

CVE-2022-2444

8.8/10 · Worth your time

NVDvuln

Summary
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wra

CVECVE-2022-2444

SeverityHIGH

TypeUPDATED

PublishedMon, Jul 18 · 05:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2518

8.8/10 · Worth your time

NVDvuln

Summary
The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inj

CVECVE-2022-2518

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2540

8.8/10 · Worth your time

NVDvuln

Summary
The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the pl

CVECVE-2022-2540

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 07:17 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2541

8.8/10 · Worth your time

NVDvuln

Summary
The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unau

CVECVE-2022-2541

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 05:16 PM CDT

Open article ↗

Tue, Sep 06 · 06:15 PM CDT

CVE-2022-2542

8.8/10 · Worth your time

NVDvuln

Summary
The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for u

CVECVE-2022-2542

SeverityHIGH

TypeUPDATED

PublishedTue, Sep 06 · 06:15 PM CDT

ModifiedWed, Apr 08 · 06:17 PM CDT

Open article ↗

Ignore today

Generic low-detail roundups without primary reporting.
HN items that are interesting but not clearly security or AI relevant.
Creator videos that look more like promotion, podcast chatter, or evergreen content than time-sensitive signal outside the rolling window.