All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of August 29^th, 2022. I’ve also included some comments on these stories.

WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites

The WordPress team this week announced the release of version 6.0.2 of the content management system (CMS), notes Security Week, with patches for three security bugs, including a high-severity SQL injection vulnerability.

“The content management system is subject to a SQL injection vulnerability. The issue exists in the WordPress Link functionality and usually affects older versions of WordPress. The functionality is disabled in newer versions of WordPress by default. The vulnerability exists because of improper sanitization of the limit argument of the link retrieval query in the get_bookmarks function. This vulnerability is patched in WordPress 6.0.2 and later.”

---

Over 1,000 iOS apps found exposing hardcoded AWS credentials

Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable, Bleeping Computer reports.

“Both iOS and Android apps have exposed AWS credentials. With these credentials an attacker could gain access to databases or other services. It was estimated that 77% of the applications contained AWS tokens that could be used to access private cloud services. The security researchers noted that about 874 applications contained valid credentials that could be used to access database records that potentially contain sensitive personal information.”

---

Microsoft Discover Severe ‘One-Click’ Exploit for TikTok Android App

Microsoft on Wednesday disclosed details of a now-patched “high severity vulnerability” in the TikTok app for Android that could (Read more…)