Chromium WebXR, React/Next.js RCEs, and WordPress Flaws Dominate Web Security News

AI in 2025 was defined by increased accessibility, security, and agents

• Increased AI agent autonomy in 2025 sparked security concerns, urging caution against AI self-governance.
• AI's increased accessibility acted as a "force multiplier" for both cyberattacks and defensive operations.
• Security professionals urged robust oversight and vulnerability patching for new AI frameworks and agentic technologies.

Source: IT Brew | Date: December 04, 2025

Microsoft Edge to Display Copilot Icon by Default, Admins Gain Control

• Microsoft Edge will soon feature the Copilot icon prominently on the browser's sidebar by default for all users.
• This change is part of Microsoft 365 Roadmap ID 536579, targeting general availability in December 2025.
• IT administrators will gain the ability to manage and disable the Copilot icon visibility through organizational policies.

Source: Microsoft 365 Roadmap | Date: December 04, 2025

Major Threats Reshaping Web Security in 2025 Identified

• Client-side supply chain attacks, involving compromised JavaScript libraries, npm packages, or browser extensions, are a significant and growing threat to web applications.
• Server-Side Request Forgery (SSRF) vulnerabilities continue to pose a critical risk, enabling attackers to leverage vulnerable APIs and web services to access internal systems.
• The evolution of browser-based attacks, including advanced malicious browser extensions and watering hole campaigns, represents a persistent challenge for web security.

Source: The Hacker News | Date: December 04, 2025

Critical WebXR Flaw Exposes 4 Billion Chromium Users to Heap Corruption

• A critical WebXR vulnerability affects an estimated 4 billion users across Chromium-based browsers including Chrome, Edge, and Brave.
• The flaw, identified as a remote heap corruption, could lead to arbitrary code execution if exploited by malicious websites.
• Users are urged to update their browsers immediately to patch this severe vulnerability and mitigate potential risks.

Source: Hackread | Date: December 04, 2025

Catastrophic RCE Flaw (CVE-2025-55182) Impacts React and Next.js Server Components

• A critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-55182 and dubbed "React4Shell", has been discovered in React and Next.js Server Components.
• The flaw, rated with a CVSS 3.1 score of 10.0 (maximum severity), allows unauthenticated attackers to execute arbitrary code on affected servers.
• Developers are strongly advised to update their React and Next.js implementations immediately to patched versions to prevent potential exploitation.

Source: Kaspersky official blog | Date: December 04, 2025

Authenticated RCE (CVE-2025-8489) Found in King Addons for Elementor Plugin

• A critical authenticated Remote Code Execution (RCE) vulnerability, CVE-2025-8489, has been identified in the King Addons for Elementor WordPress plugin.
• The flaw allows attackers with administrator privileges to upload malicious files and execute arbitrary code on affected WordPress sites.
• Users of King Addons for Elementor are urged to update their plugin to the patched version 1.6.3 or later immediately.

Source: The Cyber Throne | Date: December 04, 2025

WordPress "Unlimited Elements" Plugin RCE (CVE-2025-6389) Actively Exploited

• A critical unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2025-6389, in the "Unlimited Elements for Elementor" WordPress plugin is under active exploitation.
• The flaw allows unauthenticated attackers to execute arbitrary code on affected WordPress websites.
• Site administrators are strongly advised to update the "Unlimited Elements for Elementor" plugin to the latest patched version immediately.

Source: CybersecurityNews | Date: December 04, 2025

SentinelOne Releases Scanner for ReactJS/Next.js RCE (CVE-2025-55182) Endpoints

• SentinelOne has released a new scanner tool designed to detect exposed ReactJS and Next.js React Server Components (RSC) endpoints.
• The tool helps organizations identify vulnerable web applications susceptible to the critical CVE-2025-55182 Remote Code Execution flaw.
• By scanning for specific HTTP headers (RSC: 1) and analyzing server responses, the tool aids in proactively securing web infrastructure.

Source: CybersecurityNews | Date: December 04, 2025

Another Maximum Severity RCE Flaw (CVE-2025-66478) Disclosed in Next.js

• A separate maximum severity Remote Code Execution (RCE) vulnerability, CVE-2025-66478, with a CVSS 10.0 rating, has been identified in Next.js.
• This flaw, distinct from CVE-2025-55182, also allows remote attackers to execute malicious code on affected Next.js applications.
• Urgent updates are required for all Next.js users to mitigate the risk posed by this critical vulnerability.

Source: SecurityOnline.info | Date: December 04, 2025

Cisco ISE Affected by Reflected XSS and Information Disclosure Vulnerabilities

• Multiple vulnerabilities, including reflected Cross-Site Scripting (XSS) and information disclosure, have been discovered in Cisco Identity Services Engine (ISE).
• These flaws could allow an unauthenticated, remote attacker to perform XSS attacks or disclose sensitive information.
• Cisco has released software updates to address these vulnerabilities, and users are advised to apply the patches promptly.

Source: Cisco Security Advisory | Date: December 04, 2025

References

1. Microsoft Edge: Copilot icon visibility - Microsoft 365 Roadmap
2. 5 Threats That Reshaped Web Security This Year [2025] - The Hacker News
3. WebXR Flaw Hits 4 Billion Chromium Users, Update Your Browser Now - Hackread
4. CVE-2025-55182 vulnerability in React and Next.js - Kaspersky official blog
5. Critical React, Next.js flaw lets hackers execute code on servers - BleepingComputer
6. Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182) - Help Net Security
7. React waarschuwt voor kritieke RCE-kwetsbaarheid in Server Components - Security.nl
8. Critical React and Next.js Enables Remote Attackers to Execute Malicious Code - CybersecurityNews
9. Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components - SecurityOnline.info
10. Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025 - Cisco Security Advisory
11. King Addons vulnerability CVE-2025-8489 for Elementor Plugin - The Cyber Throne
12. Hackers Actively Exploiting WordPress Plugin Vulnerability to Execute Remote Code - CybersecurityNews
13. Critical WordPress Flaw (CVE-2025-6389) Under Active Exploitation Allows Unauthenticated RCE - SecurityOnline.info
14. New Scanner Tool for Detecting Exposed ReactJS and Next.js RSC Endpoints (CVE-2025-55182) - CybersecurityNews
15. Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0) - SecurityOnline.info
16. Cisco Identity Services Engine Reflected Cross-Site Scripting and Information Disclosure Vulnerabilities - Cisco Security Advisory