A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.

The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.

Arising due to missing input validation and sanitization, the issue makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations.

In teaching materials it released last week, a module titled adolescents and intimate relationships for Secondary Year 3, suggested that teenagers who wanted to have sex with each other could "go out to play badminton together" instead.

The materials also include a form called "My Commitment" aimed at getting "young lovers" to attest that they would exercise "self-discipline, self-control, and resistance to pornography".

The new materials have raised eyebrows and attracted criticism for being "out of touch". But officials have defended the decision.

Meanwhile social media has been flooded with jokes centered around "playing badminton".

"FWB [Friends with benefits]?? Friends with badminton," read one comment on Instagram that had more than 1,000 likes.

"In English: Netflix and chill? In Cantonese, play badminton together?" read another Facebook post which was shared more than 500 times.

Even Olympics badminton player Tse Ying Suet could not resist from commenting.

"Everyone is making an appointment to play badminton. Is everyone really into badminton?" she asked on Threads with a smirky face emoji.

The Port of Seattle continues to deal with an ongoing cyberattack that began Saturday and was still affecting various operations through Sunday, including at Seattle-Tacoma International Airport.

The Port detected “unauthorized activity” on its systems Saturday morning in what it believes was a cyberattack, said Lance Lyttle, managing director of aviation for Sea-Tac Airport.

“We can’t yet say when this will be resolved,” Lyttle said at a media press conference Sunday.

I do some freelance on the side and it's getting kind of difficult to properly track my billable hours. Is there an invoice system that I can track them with, along with generating invoices?

Thanks!

Cybersecurity researchers have unpacked a new malware strain dubbed PG_MEM that's designed to mine cryptocurrency after brute-forcing their way into PostgreSQL database instances.

"Brute-force attacks on Postgres involve repeatedly attempting to guess the database credentials until access is gained, exploiting weak passwords," Aqua security researcher Assaf Morag said in a technical report.

"Once accessed, attackers can leverage the COPY ... FROM PROGRAM SQL command to execute arbitrary shell commands on the host, allowing them to perform malicious activities such as data theft or deploying malware."

The attack chain observed by the cloud security firm entails targeting misconfigured PostgreSQL databases to create an administrator role in Postgres and exploiting a feature called PROGRAM to run shell commands.

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.

"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed," Patchstack's Rafie Muhammad said in a Wednesday report.

The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), has been patched in version 6.4 of the plugin released on August 13, 2024. It impacts all versions of the plugin, including and prior to 6.3.0.1.

LiteSpeed Cache is one of the most widely used caching plugins in WordPress with over five million active installations.

Back in 2013, Nvidia introduced a new technology called G-Sync to eliminate screen tearing and stuttering effects and reduce input lag when playing PC games. The company accomplished this by tying your display's refresh rate to the actual frame rate of the game you were playing, and similar variable refresh-rate (VRR) technology has become a mainstay even in budget monitors and TVs today.

The issue for Nvidia is that G-Sync isn't what has been driving most of that adoption. G-Sync has always required extra dedicated hardware inside of displays, increasing the costs for both users and monitor manufacturers. The VRR technology in most low-end to mid-range screens these days is usually some version of the royalty-free AMD FreeSync or the similar VESA Adaptive-Sync standard, both of which provide G-Sync's most important features without requiring extra hardware. Nvidia more or less acknowledged that the free-to-use, cheap-to-implement VRR technologies had won in 2019 when it announced its "G-Sync Compatible" certification tier for FreeSync monitors. The list of G-Sync Compatible screens now vastly outnumbers the list of G-Sync and G-Sync Ultimate screens.

A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.

The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164, has been credited with discovering and reporting the issue.

The plugin is "vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter," Wordfence said in a report this week.