Browser Security

Critical Web & Browser Security Update: Edge, RCE in React/Next.js & WordPress

Nishant Sharma

β€” 4 min read
This newsletter is AI generated and may hallucinate sometimes 😊

Announcing the new Skills feature in Leo, Brave's in-browser AI assistant

  • Brave launched "Skills" for its Leo AI assistant on desktop and Android version 1.85+.
  • New "Skills" feature allows users to automate frequent tasks like summarizing web pages.
  • The feature prioritizes privacy, streamlining workflows without exposing sensitive user prompts or data.

Source: Brave Blog | Date: December 03, 2025

Attackers have a new way to slip past your MFA

  • Attackers deploy Evilginx tool to steal session cookies, bypassing multi-factor authentication protections.
  • Evilginx acts as a phishing proxy, relaying logins and capturing session cookies post-MFA completion.
  • Defend with phishing-resistant MFA, password managers, and promptly revoking suspicious user sessions.

Source: Malwarebytes | Date: December 03, 2025

β€œSleeper” browser extensions woke up as spyware on 4 million devices

  • Five popular browser extensions silently became spyware on over 4 million devices in mid-2024.
  • Extensions, including WeTab, gained remote code execution abilities, exfiltrating users' browsing data in real time.
  • This ShadyPanda campaign exploited user trust and lax update vetting, posing ongoing risks.

Source: Malwarebytes | Date: December 02, 2025

Microsoft Edge Introduces Tenant Restrictions v2 by Default

  • Microsoft Edge is enabling Tenant Restrictions v2 (TRv2) by default to bolster security for corporate resources.
  • This feature provides organizations granular control over SaaS application access, including Microsoft 365, limiting users to specified tenants.
  • The update aims to prevent unauthorized access and data exfiltration when users interact with web applications via Microsoft Edge.

Source: Microsoft 365 Roadmap | Date: October 26, 2025

Microsoft Edge Enhances InPrivate Browsing with Default Tracking Prevention

  • Microsoft Edge has extended its "Tracking prevention" feature to be enabled by default for all InPrivate browsing sessions.
  • This enhancement significantly improves user privacy by actively blocking various online trackers during private web activities.
  • The update ensures a more secure and private browsing experience, aligning InPrivate mode's capabilities with regular browsing's comprehensive tracking prevention.

Source: Microsoft 365 Roadmap | Date: October 26, 2025

Critical RSC Bugs in React and Next.js Lead to Unauthenticated Remote Code Execution

  • Critical Remote Code Execution (RCE) vulnerabilities, dubbed "RSC bugs," have been discovered in the React and Next.js web development frameworks.
  • These flaws allow unauthenticated attackers to execute arbitrary code remotely by exploiting issues within the React Server Components (RSC) implementation.
  • The vulnerabilities pose a severe risk of full server compromise, necessitating immediate updates for applications using affected React and Next.js versions.

Source: The Hacker News | Date: December 06, 2025

WordPress King Addons Flaw Under Active Exploitation Allows Admin Account Creation

  • A critical vulnerability in the WordPress 'King Addons' plugin is being actively exploited, allowing unauthenticated attackers to create new administrator accounts.
  • The flaw grants full administrative control over compromised WordPress installations, posing a severe threat to website security.
  • WordPress administrators using King Addons are urged to update their plugin to the latest patched version without delay.

Source: The Hacker News | Date: December 06, 2025

Critical Elementor Add-on Flaw Exploited to Achieve Site Takeover on WordPress

  • A critical vulnerability in the WordPress 'Premium Addons for Elementor' plugin is under active exploitation, affecting over 600,000 active installations.
  • The flaw, identified as CVE-2025-XXXX, allows unauthenticated attackers to upload arbitrary malicious files, leading to Remote Code Execution.
  • Site administrators must update the plugin to a patched version immediately to prevent full site takeover.

Source: BleepingComputer | Date: December 06, 2025

Q3 2025 Sees Continued Dominance of Browser Vulnerabilities and Zero-Days

  • Browser vulnerabilities across Chrome, Firefox, and Safari remained a primary target for exploits during Q3 2025, leading to frequent critical patch releases.
  • Zero-day exploits specifically targeting browser engines, notably Chrome's V8 and Safari's WebKit, were actively leveraged in sophisticated advanced persistent threat (APT) campaigns.
  • Memory corruption flaws, including Use-After-Free (UAF) and heap overflows, were consistently identified in rendering engines, often enabling Remote Code Execution.

Source: Securelist | Date: October 30, 2025

Angular Platform Vulnerability Enables Malicious Code Execution via Weaponized SVG Animations

  • A critical vulnerability has been discovered in the Angular platform, allowing malicious code execution through specially crafted SVG animation files.
  • Attackers can exploit this flaw by embedding weaponized SVG files that, when rendered by a browser, trigger arbitrary JavaScript execution within the Angular application context.
  • This vulnerability can lead to severe consequences such as data theft, session hijacking, or web application defacement, urging Angular developers to update and sanitize all SVG inputs.

Source: Cybersecurity News | Date: December 06, 2025

Multiple Django Vulnerabilities Expose Web Applications to SQL Injection and DoS Attacks

  • Multiple severe vulnerabilities, including SQL Injection (SQLi) and Denial-of-Service (DoS) flaws, have been identified in the Django web framework.
  • These flaws could enable attackers to compromise database integrity, exfiltrate sensitive data, or render Django-based web applications inaccessible.
  • Django developers are strongly advised to update their framework installations to the latest patched versions to mitigate these critical security risks.

Source: Cybersecurity News | Date: December 06, 2025

Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites

  • A critical unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-13486, CVSS 9.8) has been found in the ACF Extended WordPress plugin.
  • This severe flaw affects over 100,000 active installations, allowing attackers to execute arbitrary code remotely due to insecure file upload functionality.
  • Website administrators using ACF Extended must immediately update to the patched version, such as 8.9.10, to prevent full site compromise.

Source: SecurityOnline.info | Date: December 06, 2025

References

  1. Microsoft Edge: Tenant Restrictions v2 (TRv2) - Microsoft 365 Roadmap
  2. Microsoft Edge: Tracking prevention when browsing InPrivate - Microsoft 365 Roadmap
  3. Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution - The Hacker News
  4. WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts - The Hacker News
  5. Critical flaw in WordPress add-on for Elementor exploited in attacks - BleepingComputer
  6. Exploits and vulnerabilities in Q3 2025 - Securelist
  7. Angular Platform Vulnerability Allows Malicious Code Execution Via Weaponized SVG Animation Files - Cybersecurity News
  8. Multiple Django Vulnerabilities Enables SQL Injection and Denial-of-Service Attacks - Cybersecurity News
  9. Critical ACF Extended Flaw (CVE-2025-13486, CVSS 9.8) Allows Unauthenticated RCE on 100K WordPress Sites - SecurityOnline.info

Read more