Table of Contents
July 18, 2026 | Read Online
Critical WordPress vulnerability exposed, EY data breach, and OpenSSL DoS flaw…
Executive Summary
The past day has seen significant cybersecurity developments, with multiple vulnerabilities disclosed across various platforms. A critical remote code execution (RCE) flaw in WordPress Core, dubbed “wp2shell,” has been publicly exploited, affecting an estimated 500 million websites. Meanwhile, Ernst & Young LLP (EY) has confirmed a data breach involving the unauthorized access of client tax documents through a third-party IT support platform. Additionally, a Denial of Service (DoS) vulnerability in OpenSSL has been disclosed, allowing remote attackers to exhaust server memory with an 11-byte payload.
Top Articles
Critical WordPress Core Flaw Exposed: wp2shell RCE Vulnerability A critical pre-authentication remote code execution (RCE) vulnerability in WordPress Core, dubbed “wp2shell,” affects stock WordPress installations with zero plugins installed. The flaw requires no authentication and can be exploited by an anonymous attacker. Public exploits have been released, making it imperative that administrators patch their sites immediately. GBHackers
EY Data Breach: Hackers Access Third-Party IT Support Platform Ernst & Young LLP (EY) has confirmed a data security incident in which an unauthorized third party breached a third-party IT service management platform, exfiltrating documents containing client personal and financial information. The firm filed formal breach notifications with the California Attorney General’s office. GBHackers
OpenSSL DoS Vulnerability: Exhausting Server Memory A Denial of Service (DoS) flaw in OpenSSL, dubbed “HollowByte,” allows a remote, unauthenticated attacker to force a server to allocate disproportionate memory chunks before any security handshake even begins. The vulnerability can be exploited using an 11-byte payload. GBHackers
Citrix Secure Access Client Flaw: SYSTEM Privileges Escalation Cloud Software Group has issued a High-severity security bulletin disclosing two vulnerabilities in the Citrix Secure Access Client for Windows and the Citrix Endpoint Analysis Client for Windows. The more serious of the two, tracked as CVE-2026-53565, allows a standard, low-privileged user on a local system to escalate privileges and gain full SYSTEM access. GBHackers
7-Zip Fixes RCE Flaw: Exploitable with Malicious Archives 7-Zip version 26.02 was released to fix a remote code execution vulnerability that could allow attackers to execute malicious code by convincing users to open specially crafted compressed files. BleepingComputer
The Future of Age Verification: On-Device Estimation Incode explains how on-device age estimation verifies age without transmitting or storing facial images, reducing biometric privacy risks while supporting compliance with expanding age verification laws worldwide. BleepingComputer
AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.
