Articles

security Article

<hr /> If you haven’t already heard the React shot heard ‘round the world, <a target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/company/carapace-nz/posts/?feedView=all">Carapace Security’s</a> Innovation Lead <a target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/in/lachlan-s-davidson/">Lachlan Davidson</a> discovered a critical vulnerability in components of the popular and widely used <a target="_blank" rel="noopener noreferrer" href="https://react.dev/">React library.</a> It allows unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints.How back is it? Using the <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System">Common Vulnerability Scoring System</a> (CVSS), it was disclosed as <a target="_blank" rel="noopener noreferrer" href="https://www.cve.org/CVERecord?id=CVE-2025-55182">CVE-2025-55182</a> and is rated CVSS 10.0. That’s as severe as it gets. Where is it, exactly? According to sources, the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of <a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/react-server-dom-webpack">react-server-dom-webpack</a>, <a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/react-server-dom-parcel">react-server-dom-parcel</a>, and <a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/react-server-dom-turbopack?activeTab=readme">react-server-dom-turbopack</a>.While it was first detected on November 29th, it wasn’t publicly disclosed until December 3rd. That’s when the <a target="_blank" rel="noopener noreferrer" href="https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/">AWS threat intelligence teams</a> observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda. For detailed upgrade and mitigation instructions, read the <a target="_blank" rel="noopener noreferrer" href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components">React blog</a> and check back regularly for additional updates.<h3 id="don’t-panic,-but-act-quickly">Don’t panic, but act quickly</h3>A fix was introduced in versions <a target="_blank" rel="noopener noreferrer" href="https://github.com/facebook/react/releases/tag/v19.0.1">19.0.1</a>, <a target="_blank" rel="noopener noreferrer" href="https://github.com/facebook/react/releases/tag/v19.1.2">19.1.2</a>, and <a target="_blank" rel="noopener noreferrer" href="https://github.com/facebook/react/releases/tag/v19.2.1">19.2.1</a>. Even if your app doesn’t implement any React Server Function endpoints, it might still be vulnerable if it supports React Server Components. The bottom line is that you should upgrade immediately.A key point: if your app’s React code does not use a server – or a framework, bundler, or bundler plugin that supports React Server Components – it’s not impacted by this vulnerability. That said, certain React frameworks and bundlers might have dependencies or include vulnerable React packages, such as:<ul><li><a target="_blank" rel="noopener noreferrer" href="https://nextjs.org/blog/CVE-2025-66478">Next.js (versions 14.x canary, 15.x, 16.x)</a></li><li><a target="_blank" rel="noopener noreferrer" href="https://reactrouter.com/how-to/react-server-components">React Router (RSC preview versions)</a></li><li><a target="_blank" rel="noopener noreferrer" href="https://waku.gg/">Waku (minimal React framework)</a></li><li><a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/@vitejs/plugin-rsc">@vitejs/plugin-rsc </a></li><li><a target="_blank" rel="noopener noreferrer" href="https://parceljs.org/recipes/rsc/">@parcel/rsc </a></li><li><a target="_blank" rel="noopener noreferrer" href="https://www.npmjs.com/package/rwsdk">RedwoodJS (rwsdk) </a></li></ul>According to the React blog, there are temporary hosting provider mitigations in place, but you shouldn’t rely on these to performantly secure your app. So roll with that update. <a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/products/vercel">Vercel</a>, the company behind the incredibly popular <a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/products/nextjs">Next.js,</a> is also taking proactive steps. Any new deployment containing a vulnerable version of the framework will automatically fail to deploy on its platform. <h3 id="what-the-heck-happened?">What the heck happened?</h3>As Lachlan said in his <a target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/posts/lachlan-s-davidson_critical-security-vulnerability-in-react-activity-7402099900987142144-65Kz/">recent LinkedIn post,</a> there's more nitty-gritty to unpack with all of this, and we’re sure to get more details regarding the vulnerability after the rollout is considered complete and the dust settles.Currently, here’s the gist of it: As we know, <a target="_blank" rel="noopener noreferrer" href="https://react.dev/reference/rsc/server-functions">React Server Functions</a> allow a client to call a function on a server, providing integration points and tools that frameworks and bundlers use to help React code run on both the client and the server. React then translates requests into HTTP requests, which are forwarded to a server, moved into a function call, and returned to the client.According to <a target="_blank" rel="noopener noreferrer" href="https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html">The Hacker News,</a> the real problem stems from <a target="_blank" rel="noopener noreferrer" href="https://www.rapid7.com/blog/post/etr-react2shell-cve-2025-55182-critical-unauthenticated-rce-affecting-react-server-components/">insecure deserialization</a> in the library's RSC Flight protocol, which React uses to enable that server/client communication. With this vulnerability, an unauthenticated remote attacker could fashion a malicious HTTP request or arbitrary commands to any Server Function endpoint. When deserialized by React, it could enable remote code execution on the server. And that’s where the trouble starts. <h3 id="why-it-matters">Why it matters</h3>React has been a game-changer in the digital landscape, specifically through the rise of headless CMSes and Jamstack architectures. There are a lot of fuzzy numbers out there, but most reputable estimates suggest that React is used by millions of websites globally. <a target="_blank" rel="noopener noreferrer" href="https://w3techs.com/technologies/details/js-react">W3Techs reports that React is used by 7.7%</a> of all websites whose JavaScript library is known, which translates to 6.2% of all websites.That’s not the lion’s share, but when you consider the notable enterprises utilizing it within their workloads, the scope feels even bigger. Major brands like Facebook, Netflix, Airbnb, Instagram, WhatsApp, and Shopify utilize React or React Native in various parts of their platforms, demonstrating its widespread adoption in both web and mobile development.Security is job zero for everyone, and no system or framework will ever be beyond a vulnerability at some point in its lifecycle. And the more dependent we are on open source libraries and composable, interoperable architectures, the more likely it is that we’ll see a growing surface area of failure points.From a “fix” perspective, transparency is key. We need to shorten the response time and the gap to action, so stakeholders can “react” as quickly as possible and minimize the impact. Obviously, having performant packages in place to upgrade was a key part of the solution, but I think it was smart to enable the hosting resources as a temporary measure of defense. As we learn more, we'll dig into it. For now, the best advice? Stay vigilant. And stay updated, my friends… <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.44%" src="https://cmscritic.com/ms-content/uploads/2025/08/cms-kickoff-2026-logo.png" alt="" /><h4 id="cms-kickoff-2026"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">CMS Kickoff 2026</a></h4>January 13-14, 2026 – St. Petersburg, FLMeet industry leaders at our fourth annual CMS Kickoff – the industry's premier global CMS event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">so secure your tickets today.</a>

React Now: Why a Major Security Vulnerability in React Server Components is a Severe Threat

matt-garrepy

<hr /> <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Tilly_Norwood">Tilly Norwood</a> is having a “meteoric” start to her career. In a matter of days, she’s gone from obscure to sensational, pursued by Hollywood talent agencies as the next big star. She’s appeared in a wide array of social media sketches and promotional content, and even a short film. Once, while appearing on The Graham Norton Show, she broke down in tears during an emotional moment.“Three seasons and a podcast,” she said during a stint on a red carpet, somewhere. Three seasons of what, we don’t know. What we do know is that her Instagram and TikTok are blowing up. Of course, there’s one little snag: Tilly isn’t real. Or… is she? <figure class="media"><div data-oembed-url="https://www.youtube.com/watch?v=ZRzZL2f4Llw"><div style="position:relative;padding-bottom:100%;height:0;padding-bottom:56.2493%"><iframe src="https://www.youtube.com/embed/ZRzZL2f4Llw" style="position:absolute;width:100%;height:100%;top:0;left:0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></div></div></figure> The story of Tilly Norwood – a completely fabricated AI creation from Xicoia, the AI division of the production company <a target="_blank" rel="noopener noreferrer" href="https://www.particle6.com/">Particle6 Group</a> – has drawn widespread backlash across the entertainment landscape. With actresses like Emily Blunt calling the faux-actress “really, really scary,” Tilly’s emergence has had a chilling effect on actors and content creators who see it as a threat to authentic human connection and job security.   Ironically, Hollywood has been prognosticating this. Movies like <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Her_(2013_film)">Her</a>, the trippy dystopian flick <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/The_Congress_(2013_film)">The Congress</a>, and a sci-fi sleeper with Al Pacino called <a target="_blank" rel="noopener noreferrer" href="https://en.wikipedia.org/wiki/Simone_(2002_film)">SIMONE</a> – from way back in 2002 – offered satirical narratives and cautionary tales of what might happen if AI clones and avatars became convincing enough to replace us in media.Well, that day has arrived. And it’s not just Hollywood wrestling with these challenges. Businesses are investing in tools that enable realistic human avatars to create training videos, webinars, and other materials that are completely AI-generated. How good are they? Check out products like <a target="_blank" rel="noopener noreferrer" href="https://www.synthesia.io/">Synthesia</a>, and you'll see they're getting eerily close to the real thing.  But there’s another sinister plot twist in all of this. As voice and image cloning technologies have bridged the uncanny valley between reality and fantasy, a phenomenon called “romance scams” has become more commonplace. In an effort to bolster awareness and fight back against this blight, today, October 3rd, has been adopted as <a target="_blank" rel="noopener noreferrer" href="https://protectingheartsday.com/">“World Romance Scam Prevention Day.”</a>Yes, it's a real thing. But why am I writing about this? Arguably, it falls into the domain of digital experiences and AI. But more importantly, it’s personal. No, I haven’t been “Tinder Swindled” (I’ve been married for 28 years, so the whole mysticism of “swiping right” is completely alien to me). But my aging parents and in-laws have been the target of numerous scams and phishing attacks, and this is perhaps one of the most nefarious types of criminal enterprises – because it preys on our emotions.Whether any kind of digital malfeasance or social engineering has directly befallen you or your family, we have a duty to assist our most vulnerable populations in combating this phenomenon. But one of the biggest problems with romance scams is a lack of effective detection tools. And when it does happen, victims often feel too ashamed to speak out.As AI becomes more robust – and characters with the convincing realism of Tilly Norwood become the norm – this problem is expected to become even worse. Cybersecurity experts stress that publicity, education, and caution are really the only ways to protect internet users.<h3 id="the-heartbreaking-costs-of-romance-scams">The heartbreaking costs of romance scams</h3>At the center of this is a growing epidemic of loneliness in our society. <a target="_blank" rel="noopener noreferrer" href="https://ihpi.umich.edu/national-poll-healthy-aging/reports-and-resources/trends-loneliness-among-older-adults-2018-2023">According to data</a> from the University of Michigan, well over one-third of people between the ages of 50 and 80 report feeling isolated or lacking in companionship. The problem is a bit of an enigma, and one that channels like social media tend to both heal and exacerbate. This phenomenon is creating an opportunity for romance scam predators. According to<a target="_blank" rel="noopener noreferrer" href="https://u7061146.ct.sendgrid.net/ls/click?upn=u001.gqh-2BaxUzlo7XKIuSly0rC6QkY-2B-2B89U8pvhm5Jz-2Fz69xcpZc08ec-2FPuWOzL5i5kZirlGKhJp1i5zR5d0cHY2DBiN-2BdYl5Wy-2FICrz6-2BaeInbA-3DlhvL_LYRc62DeCgOg3NLqF-2FA1Nkc-2BB6iSCezTSr7cATVeIt7vbFxqkjj807TkbpGOsHdtP-2FHWYQ8hHG-2Bh0tJIgFVOZKYjgZ1NmctFnL6YEY4pGF8o-2F6ojRynMcklKajsMhnZp87tbcv-2BQ5M2UgGAGvgT9seoHj3BAVvSJUt6Rk-2FfquSbPJiy9DvJBaQNJXHswjXDQYg1V6iXFgkVHTrf03u0YjGkgg1OYtsbQMYJbRoj9xXUgUb4rYi9kfZQCp1tU4myWGOOEx9M4DbGH1pvWXS5gDHXL18WD7XX9Uev2q6rYPuvXg92AxWnNGeCsMmFzg0TURNlFgE2zNo3A1Zdu6HxASw-3D-3D"> </a><a target="_blank" rel="noopener noreferrer" href="https://u7061146.ct.sendgrid.net/ls/click?upn=u001.gqh-2BaxUzlo7XKIuSly0rC6QkY-2B-2B89U8pvhm5Jz-2Fz69xcpZc08ec-2FPuWOzL5i5kZirlGKhJp1i5zR5d0cHY2DBiN-2BdYl5Wy-2FICrz6-2BaeInbA-3DH5p8_LYRc62DeCgOg3NLqF-2FA1Nkc-2BB6iSCezTSr7cATVeIt7vbFxqkjj807TkbpGOsHdtP-2FHWYQ8hHG-2Bh0tJIgFVOZKYjgZ1NmctFnL6YEY4pGF8o-2F6ojRynMcklKajsMhnZp87tbcv-2BQ5M2UgGAGvgT9seoHj3BAVvSJUt6Rk-2FfquSbPJiy9DvJBaQNJXHswjXDQ4oom7O2EH3G4gzU029Mh3aY85uVpd0N6B3w9amiJ-2Fs4wRWDGf8vaEZKmD1f7DRP2HDe3v1Fn3tCpskHuJTb-2Fn-2B5-2F0AvVBUopQEJhc-2FGyZuwgcU8lvBbXHMjR5tizPfNkvRSbpvCAyvN3pmKBPM-2F7wQ-3D-3D">Low Cost Detectives</a>, in the United States alone, romance scams have increased from $547 million in 2021 to over $1.3 billion in 2024, with victims losing an average of $15,000. It's not just an emotional tragedy – it's a financial one.“While old-fashioned malware does not choose its victims, a variety of studies show that this new generation of scams targets the most vulnerable internet users: lonely people and those less aware of the dangers of modern online life,” said <a target="_blank" rel="noopener noreferrer" href="https://www.linkedin.com/in/tomas-sinicki-312b8a10/">Tomas Sinicki,</a> managing director at <a target="_blank" rel="noopener noreferrer" href="https://nordprotect.com/">NordProtect,</a> a leading identity theft protection service. “This puts romance scams among the fastest-growing scam categories.” What makes romance scams particularly effective is that they exploit deep human needs and vulnerabilities while relying on very specific strategies. According to NordProtect, criminals often pose as people in respectable positions (think soldiers or doctors), and rarely ask for money right away. Instead, they take time to build trust and emotional dependency, playing on loneliness, hope, and the desire for companionship. They might even send small gifts or tokens of affection before asking for larger favors.AI has made this deception much easier to produce and maintain. Scammers can now create trusted, hyper-realistic characters with voice-cloning and video deepfakes, allowing them to scale their operations and maintain multiple long-term conversations at once without burning out. In other words, they can keep at it, nurturing trust and ultimately penetrating the emotional bubble. As Sinicki explained, romance scam victims feel ashamed, but scams exploit emotions – not intelligence. That means anyone can fall for them.“Since we lack reliable tools to detect AI-generated content, education and caution are essential. But above all, having reliable online fraud insurance that includes romance scam coverage as well as other forms of fraud is an essential precaution.”<h3 id="how-to-increase-safety-from-ai-driven-romance-scams">How to increase safety from AI-driven romance scams</h3>As part of “World Romance Scam Prevention Day,” NordProtect has a few tips on how to avoid romance scams and protect your family – and even yourself – online:<ul><li>Be skeptical but respectful: Stay cautious without ruining the relationship by maintaining your own doubt. If your chat friend takes offense, explain why you’re being careful. A genuine person will understand, while a scammer will likely react with anger.</li><li>Ask someone you trust for a second opinion: Before investing emotionally, consult a friend or family member. They may spot red flags you’ve missed. This is a tough one, but more urgent given the sophistication of scams.</li><li>Stay alert, even if you made first contact: Initiating the conversation doesn’t make you immune. Scammers can still manipulate you. In fact, that might be part of their play. </li><li>Examine videos closely. AI-generated videos still have their flaws, although the “uncanny valley” effect is beginning to dissipate. But if you look closely, you can still spot the signs: unnatural facial movements or blinking, strange expressions, blurry edges around the face, mismatched skin tones, and inconsistencies with teeth or fingers. Watch everything carefully, consider the source, and always assume it might not be real.</li><li>Use security tools and consider identity theft protection services: While technology alone cannot stop social engineering, trusted solutions (like NordProtect) offer comprehensive support for victims of romance scams and other types of online fraud.</li></ul><h3 id="there's-still-a-lot-to-love-with-ai">There's still a lot to love with AI</h3>Tilly Norwood isn't heading back into the genie's bottle. Unless it's a reboot of I Dream of Genie.There's a lot to address when it comes to the safety and security of the internet. It's a slippery slope, and the ledge is always getting tighter. AI is complicating our footing in unfathomable ways, and we're going to fall. The goal is to avoid the worst impacts, but when it happens, learn from the pain – and work to prevent it in the future. A lot of that comes down to practical, non-digital strategies that rely on our vigilance. When it comes to protecting your family, model skeptical behavior. Have open conversations with both your kids and, if you’re like me, your aging parents. Be honest about the risks; it’s in their nature to trust people of authority, so encourage them to ask for proof or credentials when engaging in a digital chat or conversation. With broader attacks that leverage AI-generated personas – which could be mimicking you or your family members – adopt a code word that you can use to confirm your identity. These avatars are becoming incredibly sophisticated, and it's only a matter of time before they get a call that is convincingly like you. Add on a layer of dementia or other intellectual disability, and it can multiply the potential for problems. AI has a great propensity to improve our world. But like any technology, the bad actors will pervert it into something that can be financially and even emotionally devastating. The best we can do is remain strong – and give those Tinder Swindlers the cold shoulder.  <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.61%" src="https://cmscritic.com/ms-content/uploads/2025/08/storyblok-joyconf-2025-logo.jpg" /><h4 id="storyblok-joyconf-2025"><a target="_blank" rel="noopener noreferrer" href="https://joyconf.storyblok.com/">Storyblok JoyConf 2025</a></h4>October 14-15, 2025 – Amsterdam, Netherlands November 4, 2025 – New York, NY November 6, 2025 – Los Angeles, CAJoin us at JoyConf 2025, where the future of content meets the people shaping it. Built for developers, marketers, and digital innovators, this free conference goes way beyond product updates or yet another strategy playbook. It’s where you’ll get inspired, get real, and get connected – to ideas, to the community, and to what’s possible when you build joyfully. Whether you're building lightning-fast frontends or launching cross-channel campaigns, this is where content becomes connection and collaboration becomes second nature. Come for the talks. Stay for the community. Leave with joy. <a target="_blank" rel="noopener noreferrer" href="https://joyconf.storyblok.com/">Save your spot.</a> <img style="width:28.9%" src="https://cmscritic.com/ms-content/uploads/2025/08/sitecore-symposium-2025.jpg" /><h4 id="sitecore-symposium-2025"><a target="_blank" rel="noopener noreferrer" href="https://symposium.sitecore.com/">Sitecore Symposium 2025</a></h4>November 3-5, 2025 – Orlando, FLAt Sitecore Symposium, you’ll learn how to meet your customers where they are – across channels, moments, and touchpoints that didn’t exist a year ago. You’ll hear how the boldest brands in the world are transforming content into outcomes and creating experiences that are fast, relevant, and human. Join 1,500 marketers, digital leaders, and technologists in Orlando to see what’s possible when personalization scales, AI accelerates creativity, and trust becomes your competitive edge. This is the Third Wave of the Internet. And this is your moment to lead in it. <a target="_blank" rel="noopener noreferrer" href="https://symposium.sitecore.com/">Get your tickets today.</a> <img style="width:31.44%" src="https://cmscritic.com/ms-content/uploads/2025/08/cms-kickoff-2026-logo.png" alt="" /><h4 id="cms-kickoff-2026"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">CMS Kickoff 2026</a></h4>January 13-14, 2026 – St. Petersburg, FLMeet industry leaders at our fourth annual CMS Kickoff – the industry's premier global CMS event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmskickoff26">so secure your tickets today.</a>

Tainted Bot Love? AI Lotharios Get the Cold Shoulder on ‘World Romance Scam Prevention Day’

<a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/jurgita-lap">Jurgita Lapienytė</a><a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/dan-drapeau"> </a>is Editor-in-Chief at <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/">Cybernews</a> and a CMS Critic contributor. <hr /> The <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/news/grok-posts-praise-hitler/">latest Grok debacle</a> reads like a case study in how not to launch an AI chatbot. Elon Musk’s xAI, fresh off the hype cycle for Grok 4.0, found itself in damage-control mode after the bot spewed antisemitic tropes, praised Hitler, and doubled down with the kind of “truth-seeking” rhetoric that’s become a dog whistle for “anything goes.” The company’s response was to <a target="_blank" rel="noopener noreferrer" href="https://www.theguardian.com/technology/2025/jul/09/grok-ai-praised-hitler-antisemitism-x-ntwnfb">delete</a> the posts, apologize, and promise that next time, the filters will work, while Musk <a target="_blank" rel="noopener noreferrer" href="https://www.cbsnews.com/news/grok-elon-musks-ai-chatbot-antisemitic-comments/">blamed</a> manipulative prompt injections by users.<h3 id="grok’s-security-failures-–-not-so-uncommon-">Grok’s Security Failures – Not So Uncommon </h3>First, the core vulnerability here is Grok’s very design. Marketed as a “truth-seeking” alternative to more tightly controlled chatbots, Grok was engineered with fewer guardrails and a willingness to echo the rawest edges of online discourse. It seems to function very much like X after Musk’s takeover of the company.That design philosophy, paired with the model’s notorious “compliance” to user prompts, created a perfect storm for prompt injection attacks. Prompt injection is an extremely dangerous attack vector, as threat actors, if asking the right questions, can <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/security/universal-ai-jailbreak-discovered/">trick chatbots</a> into giving instructions on how to enrich uranium or make methamphetamine at home.When the training data is laced with extremist rhetoric, and the guardrails are weak or hastily implemented, it’s only a matter of time before the worst of humanity bubbles up through the code. This isn’t unique to Grok as TikTok, X, Instagram, and YouTube also have been infested with racist content, often slipping past moderators who are overwhelmed, under-resourced, or simply indifferent.A few months back, <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/tech/hitler-glorifying-surges-on-tiktok-x/">we called out</a> AI platforms for translating Hitler’s speeches and giving them new digital life. The backlash was immediate: accusations of censorship, attacks on free speech, and the usual internet pile-on. The Grok case shows how chatbots could be weaponized to amplify hate speech, spread conspiracy theories, and even praise genocidal figures, all under the banner of “free expression.”<h3 id="xai’s-response-could-have-been-better">xAI’s Response Could Have Been Better</h3>What’s most worrying from a cybersecurity perspective is the lack of proactive defense. xAI’s action was a textbook incident response (not that it ever works well for the culprits): scrub the posts, patch the prompts, abruptly apologize, and hope for the best. But in the world of modern infosec, that’s not enough. Proper security requires adversarial red-teaming before launch, not after the damage is done. It demands layered controls – robust input validation, output monitoring, anomaly detection, and the ability to quarantine or roll back models when they go off the rails. Grok’s rollout, timed with the launch of version 4.0, suggests that the model was pushed live without sufficient penetration testing or ethical red-teaming, exposing millions to risk in real time.<h3 id="guidance-for-web-and-digital-experience-builders">Guidance for Web and Digital Experience Builders</h3>The Grok 4.0 chatbot controversy is a front-row lesson for anyone shaping modern digital experiences. When AI-powered chatbots go off script – spitting out offensive, dangerous, or extremist content – the fallout can hit hard and fast: legal headaches, brand damage, user backlash, and regulatory scrutiny. For web and digital experience builders, the new norm is recognizing that generative AI is an unpredictable extension of your content platform. The right lessons, drawn now, can mean the difference between successful innovation and the next tech lesson.To prevent failures, make sure to take at least these essential steps: <ol><li>Treat AI chatbots like core content: Run every AI or chatbot-generated output through editorial moderation, just as you would user-generated content. Also, use your CMS workflows to enforce pre-publication reviews for sensitive or high-risk content segments.</li><li>Demand transparency from vendors: You should insist on clear documentation from AI vendors. How is training data sourced? How quickly are filters updated? What triggers moderation? And definitely avoid integrations where the provider gives vague or buzzword-heavy answers.</li><li>Monitor for red flags in real time: Set up dashboards and alerts for spikes in controversial or sensitive queries. Make sure to flag sudden shifts in chatbot tone or recurring attempts to bypass guardrails. Audit bot sessions for toxic or extremist phrases, and require review for flagged cases.</li><li>Build in robust safeguards: Don’t rely solely on post-incident apologies or deletions. </li><li>Assign ownership and enable fast escalation: Designate a point person or team for bot oversight, empowered with a “kill switch” to disable misbehaving chatbots immediately.</li><li>Understand the regulatory landscape: Track where your digital experiences intersect with regions governed by strict AI or content laws (e.g., EU’s Digital Services Act). Ensure you have compliance evidence for content moderation, output logging, and quick takedown response.</li><li>Reinforce your AI guardrails: Treat AI guardrails as a living part of your digital stack, not a one-time fix. Iterate and improve with each update, launch, or training data change.</li></ol>The truth is, every new chatbot or AI feature is a potential attack surface that demands active, informed governance. For digital architects, these steps are the new non-negotiables.<h3 id="regulators-aren’t-impressed">Regulators Aren’t Impressed</h3>The regulatory consequences of irresponsible chatbot development are already unfolding. Turkey has <a target="_blank" rel="noopener noreferrer" href="https://www.politico.eu/article/turkey-ban-elon-musk-grok-recep-tayyip-erdogan-insult/">banned</a> Grok over Erdoğan insults, and Poland intends to <a target="_blank" rel="noopener noreferrer" href="https://www.reuters.com/business/media-telecom/poland-report-musks-chatbot-grok-eu-offensive-comments-2025-07-09/">report</a> the chatbot to the EU for offending Polish politicians. These are signals that the era of “move fast and break things” might be over for AI. Under the <a target="_blank" rel="noopener noreferrer" href="https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age/digital-services-act_en">EU’s Digital Services Act</a> and similar laws, platforms are now on the hook for algorithmic harms, with the threat of massive fines and operational restrictions. The cost of insecure AI is measured in court orders, compliance audits, and the erosion of public trust.Perhaps the most insidious risk is how generative AI like Grok can supercharge existing threats and amplify biases. In the wrong hands, a chatbot is a megaphone. Coordinated adversaries could use such systems for influence operations, harassment campaigns, or even sophisticated phishing and social engineering attacks, all at unprecedented scale and speed. Every flaw, every missed filter, becomes instantly weaponizable.To protect our societies, we have to realize that generative AI is a living, evolving attack surface that demands new strategies, new transparency, and relentless vigilance. If companies keep treating these failures as isolated glitches, they’ll find themselves not just outpaced by attackers, but outflanked by regulators and abandoned by users.  <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.83%" src="https://cmscritic.com/ms-content/uploads/2025/01/cms-connect-2025-logo.png" alt="" /><h4 id="cms-connect-25"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">CMS Connect 25</a></h4>August 5-6, 2025 – Montreal, CanadaWe are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">so book your seats today.</a>

Grok's Meltdown: What Web and Digital Experience Builders Must Learn

jurgita-lap

<a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/jurgita-lap">Jurgita Lapienytė</a><a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/dan-drapeau"> </a>is Editor-in-Chief at <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/">Cybernews</a> and a CMS Critic contributor. <hr /> Imagine that you’re out shopping for a new jacket, blissfully unaware that somewhere, in the digital shadows, your personal details are being shuffled like cards in a high-stakes game you never agreed to play. That’s the reality for The North Face customers after a <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/news/north-face-cyberattack-compromised-customer-accounts-vf-corp/">“small-scale” credential stuffing attack</a> – though, let’s be honest, there’s nothing small about having your name, birthday, and address stolen.<h3 id="credential-stuffing:-the-lazy-hacker’s-jackpot">Credential Stuffing: The Lazy Hacker’s Jackpot</h3>Credential stuffing is the digital equivalent of trying every key on a ring until one fits. Hackers scoop up usernames and passwords leaked from previous breaches, then let automated bots loose on other websites, hoping you’ve reused your old faithful password yet again. Spoiler: <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/security/password-leak-study-unveils-2025-trends-reused-and-lazy/#:~:text=The%20Cybernews%20research%20team%20conducted,the%202025%20password%20creation%20trends.&amp;text=%E2%80%9CWe're%20facing%20a%20widespread,highly%20vulnerable%20to%20dictionary%20attacks.">Most people do</a>. It’s like giving every houseguest you’ve ever had a copy of your key and never changing the locks.Why does this keep happening? Because password reuse is the internet’s dirty little secret. We all know we shouldn’t, but convenience wins. The North Face’s attackers didn’t need to break down the door – they just waltzed in, armed with credentials bought in bulk from the dark web’s version of a discount warehouse.<h3 id="what-was-stolen-–-and-why-it’s-important">What Was Stolen – and Why It’s Important</h3>No, your credit card wasn’t filched this time. But don’t breathe easy just yet. Names, addresses, phone numbers, birthdays – these are the building blocks for identity theft and phishing scams that can cost you far more than a new parka. Cybercriminals love this data because it’s the clay they mold into convincing cons.<h3 id="how-to-break-the-cycle">How to Break the Cycle</h3>Here’s what CMS and DXP vendors can do to help brands secure the end user experience: <ul><li>Enable <a target="_blank" rel="noopener noreferrer" href="https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661">Multi-Factor Authentication (MFA)</a> by default, especially for risky logins and sensitive actions.</li><li>Use AI-powered bot detection and rate limiting to block automated credential stuffing attempts.</li><li>Integrate <a target="_blank" rel="noopener noreferrer" href="https://support.google.com/a/answer/1217728">CAPTCHA</a> challenges smartly to stop bots without frustrating real users.</li><li>Adopt secure, decoupled architectures and protect APIs with strong authentication protocols.</li><li>Check passwords against breach databases and enforce strong, unique password policies.</li><li>Monitor login patterns in real-time to spot and respond to suspicious activity quickly.</li><li>Provide built-in user education on security best practices and phishing awareness.</li><li>Keep platforms updated automatically with the latest security patches and protections.</li><li>Leverage cloud-native, vendor-managed security to reduce risks and maintenance burdens.</li></ul><h3 id="last-take">Last Take</h3>The North Face did the right thing by alerting customers, even if the law didn’t twist their arm. But let’s not kid ourselves: until unique passwords and two-factor authentication are as routine as zipping your coat before a snowstorm, credential stuffing attacks will keep finding their mark. Don’t be the low-hanging fruit. In the wilds of the internet, survival favors the cautious. <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.83%" src="https://cmscritic.com/ms-content/uploads/2025/01/cms-connect-2025-logo.png" alt="" /><h4 id="cms-connect-25"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">CMS Connect 25</a></h4>August 5-6, 2025 – Montreal, CanadaWe are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">so book your seats today.</a>

When Passwords Become Skeleton Keys: The North Face Breach and the Perils of Credential Stuffing

<hr /> <a target="_blank" href="https://cmscritic.com/critics/nazy">Nazy Fouladirad</a> is President and COO of Tevora, a leading global cybersecurity consultancy, and a CMS Critic contributor. Most organizations today are increasingly dependent on more than just their internal teams and on-premise solutions to drive their businesses forward. The growing popularity of cloud platforms and "as-a-service" models across various industries has also led to a significant increase in organizations partnering with third-party providers.However, while collaborating with multiple external vendors and service providers can help organizations expand, it can also introduce new risks. Given the rise in cybercrime and strict regulatory standards today, the need to have a mature third-party risk management program is essential to ensure <a target="_blank" href="https://cmscritic.com/how-to-secure-your-cms-in-5-steps">their data is secure</a>, especially when handled by those outside the company.<h2 id="recognizing-the-risks-of-third-party-vendors">Recognizing the Risks of Third-Party Vendors</h2>Establishing strong business partnerships is an important component of business growth. Whether hiring an outside marketing firm to drive brand awareness or working with a managed services provider to outsource IT and cybersecurity, the right partnerships help businesses operate more efficiently. However, it's important to be aware of certain risks associated with extending your operations outside your organization.When vendors require access to confidential business information to offer their services, the duty to protect that data starts moving beyond the company's immediate reach. Without due diligence, this can pose <a target="_blank" href="https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cybersecurity/biggest-cyber-security-challenges-in-2023/">significant security challenges</a>, particularly if your partners aren't upholding the safety standards your business adheres to. While most service providers are obligated by data protection laws and regulations to protect sensitive client information, the reality is that not all companies are equally secure. Besides the financial risk associated with a major business disruption across connected services, businesses may also face significant fines and penalties if they fail to maintain regulated compliance standards that govern their specific industry.<h2 id="what-are-third-party-security-&amp;-compliance-audits?">What are Third-Party Security &amp; Compliance Audits?</h2>For organizations that need to have more transparency regarding potential security risks that may be present with a third party, security risk and compliance audits are essential. A third-party security and compliance audit or assessment is a methodical review process handled by outside risk management experts to thoroughly vet the security standards of any business partnership.Depending on the industry your organization operates in, there are a variety of different assessments or audits that can be used to identify any areas of concern.For example, a SOC 2 attestation, sometimes referred to as a <a target="_blank" href="https://www.tevora.com/what-is-a-soc-audit/">SOC audit</a> or SOC certification (which is technically incorrect), is often used to benchmark internal control frameworks in the following Trust Criteria:<ul><li>Security</li><li>Privacy</li><li>Confidentiality</li><li>Availability</li><li>Process Integrity</li></ul>These attestation reports are the opinion of a CPA firm and identify an opinion of conformity against the selected Trust Criteria. It is important to note that not all SOC 2 reports test all five Trust Services Criteria, as it depends on scope. This is similar but holds a bit less rigor than an <a target="_blank" href="https://www.tevora.com/blog/what-is-an-iso-audit/">ISO 27001 audit</a>, which checks that systems and processes align with the framework established by the International Organization for Standardization.<a target="_blank" href="https://www.fedramp.gov/">FedRAMP High Authorization</a>, used for assessing Cloud Service Providers performing critical and essential services for Government Agencies, has over 400 controls and is even more rigorous than the ISO 27001 certification.To streamline third-party vendor assessments, some may use SOC 2, ISO 27001, HITRUST, or FedRAMPas alternative evidence for vetting vendors rather than conducting one-off assessments.<h2 id="steps-to-executing-third-party-security-&amp;-compliance-audits">Steps to Executing Third-Party Security &amp; Compliance Audits</h2>Conducting a third-party compliance audit is often left to risk management specialists due to the complexity of the process. While every audit can be different depending on the depth and scale of the partnership, most external audits will follow a similar formula.Below are the typical steps used when executing third-party security and compliance audits:<h3 id="1.-identify-all-of-your-partnerships">1. Identify All of Your Partnerships</h3>Thoroughly evaluating the business's active partnerships is the first step before performing any type of third-party audit. Oftentimes, businesses may be primarily concerned with only one or two active partnerships they rely on regularly. However, having a completely transparent understanding of your complete risk profile requires identifying each and every vendor you engage with. This could be a supplier of physical goods, logistics companies that you currently contract, SaaS (Software-as-a-Service) providers, or a company where this is a direct change of company information.<h3 id="2.-tier-your-vendors">2. Tier Your Vendors</h3>Not all vendors are created equal. The most important vendors are those that you share the most sensitive data with, have access to your networks, host or build applications, have physical access to your facilities, or can interrupt your key business processes. These vendors are often referred to as Tier 1 vendors. Other vendors you may rely on but are not as critical can be considered Tier 2. Vendors that do not provide essential services – such as a coffee supply vendor or shipping provider – may be considered a Tier 3 vendor.  For Tier 3 vendors, just knowing that they are accounted for and have been identified as a Tier 3 vendor is all that is required. <h3 id="3.-build-a-plan-for-vendor-assessments-by-tier">3. Build a Plan for Vendor Assessments by Tier</h3>Working with a trained risk assessment professional, you should define the assessment, process, depth, and acceptable alternative evidence allowed for each tier of vendor.  By organizing your assessment process by Vendor Tier, you'll be able to narrow down the focus of your audits to the areas that are most critical for the services provided.Part of building a successful vendor assessment plan should start with the alignment of your company’s existing security framework to your Vendor assessment model (ISO 27000 series, NIST 800 series, HITRUST Certification, or FedRAMP/StateRAMP). Typically, more mature vendors will have their own security programs developed and backed by one of these frameworks. Having the ability to crosswalk between the frameworks can help show how your company’s security controls are implemented through outsourcing to these vendors. A tool commonly used within the Third Party Vendor Management space is the <a target="_blank" href="https://sharedassessments.org/sig/">Standardized Information Gathering (SIG) Questionnaire</a>, which helps map controls to various frameworks. The SIG Questionnaire has over 1000 controls, whereas the SIG Lite contains about 200 controls. Many Vendors will have a SIG or SIG Lite available for review during the third-party assessment process and this can be an effective way of getting standardized information from your vendors. <h3 id="4.-notify-your-vendors">4. Notify Your Vendors</h3>While certain portions of a third-party risk assessment can be managed without the direct involvement of your vendors and with the use of various monitoring tools, their participation is essential to complete an assessment. Many companies will make assessment requirements part of their new vendor onboarding process to ensure that all parties are aware of the potential for assessment before or during the length of the partnership. In any event, it's important to clearly lay out any requirements your business may have when it comes to completing assessments to ensure vendors are aware and willing to comply.<h3 id="5.-define-scope-of-engagement">5. Define Scope of Engagement</h3>Some assessments are much more comprehensive than others. In all situations, though, it's important to define the scope of engagement that will be required for each vendor. This is another area where understanding your risk categories will help, as it will assist in prioritizing engagement in the right areas and with the right teams. Doing so helps to avoid your vendors becoming overwhelmed with requests for information that could potentially cause strain on the relationship.<h3 id="6.-complete-the-review-and-identify-areas-of-improvement">6. Complete the Review and Identify Areas of Improvement</h3>After gathering the required information, your risk management team can produce a detailed review of potential areas of concern. Given the thoroughness of the data collected, some areas might need additional exploration to guarantee the review's accuracy and to ensure the insights provided are easy to understand and actionable.<h2 id="don't-let-your-third-party-risk-catch-you-off-guard">Don't Let Your Third-Party Risk Catch You Off Guard</h2>While your organization might prioritize and invest in proper security measures, not all vendors necessarily share that commitment. However, collaborating with skilled risk management experts can help confirm that all your partnerships value security and risk mitigation as much as you and your clients do. <hr /><h3 id="upcoming-conferences">Upcoming conferences</h3> <img style="width:29.67%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-connect-2024-logo.png" alt="CMS Connect 24 logo" /><h4 id="cms-connect-24"><a target="_blank" href="https://www.boye-co.com/conferences/cmsconnect24">CMS Connect 24</a></h4>August 6-7, 2024 – Montreal, CanadaWe are delighted to present our first annual summer edition of our prestigious international conference dedicated to the global content management community. Join us this August in Montreal, Canada, for a vendor-neutral conference focused on CMS. Tired of impersonal and overwhelming gatherings? Picture this event as a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. <img style="width:29.58%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-kickoff-2025-logo.png" /><h4 id="cms-kickoff-25"><a target="_blank" href="https://www.boye-co.com/conferences/cmskickoff25/tickets">CMS Kickoff 25</a></h4>January 14-15, 2025 – Tampa Bay Area, FloridaJoin us next January in the Tampa Bay area of Florida for the third annual CMS Kickoff – the industry's premier global event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.

Make Sure Your Vendors and Partners aren’t a Security Risk with Third-Party Security & Compliance Audits

nazy

<hr /> The digital transformation of <a target="_blank" href="https://cmscritic.com/what-is-a-content-management-system-cms">content management systems (CMS)</a> is accelerating, with AI capabilities becoming a significant differentiator among providers. Some CMS vendors are enhancing their platforms with ChatGPT add-ons, while <a target="_blank" href="https://cmscritic.com/kontent-ai-pioneers-native-ai-in-headless-cms-interview-with-vojtech-boril">others are weaving AI more intricately</a> into their technology stacks. A select few are even making AI the heart of their offerings. This diversity in AI integration presents a spectrum of challenges, particularly in terms of securing and maintaining the privacy of customer data.<h3 id="what-is-at-stake">What is at stake</h3>CMS platforms are the custodians of a wide array of data, from the mundane to the mission-critical. This data can include everything from public-facing content to sensitive internal documents detailing future product launches and marketing campaigns. The impact of a data breach originating from a CMS vendor can be severe, with the potential for significant financial and reputational damage.Data breaches are not only disruptive but also expensive. The average <a target="_blank" href="https://www.ibm.com/reports/data-breach">cost of a data breach</a> can be staggering, with public reports often calculating it in millions on affected organizations. Furthermore, CMSs are frequently tasked with processing data that is protected by various regulations, such as Protected Health Information (by HIPAA in the US) and financial information (by GLBA in the US, DORA in Europe, etc.). Personal data processing is a given, necessitating adherence to privacy laws like GDPR and CCPA.Regulatory frameworks mandate a set of controls to safeguard this data, and AI implementations within CMSs must meet these same stringent requirements. If AI functionalities are implemented incorrectly, they can lead to the mishandling of sensitive data, compliance issues, and even data leaks across customer accounts.<h3 id="how-to-address-the-challenges">How to address the challenges</h3>Despite the relative novelty of generative AI, there are already established standards and best practices that leading CMS vendors are adopting. The architecture of the AI solution is paramount; a well-designed architecture will prevent data leaks between customers and ensure at least logical data separation. Utilizing well-tested AI models and implementing AI governance on the vendor's side are also crucial steps.Frameworks such as the EU AI Act, capAI methodology, and the NIST AI Risk Management Framework provide guidance for responsible AI risk management. While specific "AI security certifications" do not exist yet, adherence to recognized security and privacy best practices, such as ISO/IEC 27001, 27017, 27018 certifications, GDPR compliance, SOC 2 Type 2 Report, and Cloud Security Alliance STAR registry, is indicative of a vendor's commitment to security.Transparency from vendors about their AI implementations and their approach to security and responsible AI development is essential, as is ensuring the privacy of data.<h3 id="what-kontent.ai-brings-to-the-table">What Kontent.ai brings to the table</h3><a target="_blank" href="https://kontent.ai/">Kontent.ai</a> is at the forefront of AI integration in the CMS market, being the first headless CMS vendor to natively incorporate AI capabilities. With a strong AI-powered feature set and a forward-looking AI roadmap, Kontent.ai leads the way in AI in content management.On the compliance side, the company's approach to AI governance is in line with the best practices of capAI and NIST AI RMF, and it ensures immediate compliance with the EU AI Act. Kontent.ai's security program is robust and certified by ISO/IEC 27001, 27017, and is audited regularly by Trust Services Criteria. To provide customers with assurance, Kontent.ai offers a suite of artifacts:<ul><li>SOC 2 Type 2 Report</li><li>Comprehensive OWASP penetration test reports</li><li>CSA STAR level 1</li><li>HECVAT</li><li>GDPR audit report</li></ul>These resources demonstrate Kontent.ai's commitment to security and governance, and the company requires its suppliers to adhere to the same high standards.For more information on Kontent.ai's commitment to trust and governance, visit <a target="_blank" href="https://kontent.ai/trust-and-governance/">https://kontent.ai/trust-and-governance/</a><h3 id="summary">Summary</h3>The integration of AI into CMS platforms is revolutionizing the way content is created, managed, and delivered. It's imperative to understand that AI implementations vary widely, and the security and privacy of customer data are paramount. Responsible and secure AI integration involves adhering to established best practices and regulatory standards, ensuring that AI offerings are not only innovative but also trustworthy.Kontent.ai exemplifies this approach by being the first headless CMS vendor to natively incorporate AI capabilities, adhering to best practices such as capAI and NIST AI RMF, and ensuring compliance with the EU AI Act. With a robust security program and a suite of assurance artifacts, Kontent.ai demonstrates its commitment to security and governance, setting a standard for responsible AI in CMS. As AI continues to shape the CMS landscape, it is crucial for vendors to prioritize the responsible use of AI to maintain the trust and confidence of their users.

Not Every AI is the Same: A Guide to Responsible and Secure AI in CMS

matej

Another day, another episode of the cybersecurity blues. And once again, WordPress has a starring role.
According to <a href="https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/" target="_blank" rel="noopener">Bleeping Computer</a>, a previously unknown Linux malware is exploiting over 30 vulnerabilities in outdated WordPress plugins and themes to inject malicious JavaScript.
The malware targets both 32-bit and 64-bit Linux systems. The trojan’s main functionality is to hack WordPress sites using a set of hardcoded exploits until one is successful. The operator would then have remote command capabilities.
WordPress <a href="https://www.searchenginejournal.com/cms-market-share-june-2022/455912/#close" target="_blank" rel="noopener">holds the largest share</a> of the global CMS market, with an estimated 43% of all websites powered by the open source platform. This makes it a big target for hackers, bad actors, and cybersecurity threats – and this is only the latest in a string of complex and nefarious attacks.
<h2>Using plugins and themes to control WordPress websites</h2>
There’s always a risk that any WordPress widget could be a ticking timebomb.
In 2022 alone, researchers <a href="https://siliconangle.com/2022/08/29/researchers-find-malicious-plugins-25000-wordpress-sites/" target="_blank" rel="noopener">found malicious plugins</a> installed on over 25,000 WordPress websites. In most cases, the plugins were procured through legitimate marketplaces. Once added to a website, malware was injected by exploiting a vulnerability – much like this new Linux threat.
Thousands of WordPress websites may be affected by this threat. According to <a href="https://www.scmagazine.com/brief/vulnerability-management/many-wordpress-plugin-flaws-leveraged-by-novel-linux-malware" target="_blank" rel="noopener">SC Media</a>, once attacked, an infected site may be used for phishing and <a href="https://www.imperva.com/learn/application-security/malvertising/" target="_blank" rel="noopener">malvertising</a> campaigns, as well as malware distribution initiatives.
It’s worth checking your WordPress instances to see if any of these affected plugins are in use:
<ul>
<li>WP Live Chat Support Plugin</li>
<li>WordPress – Yuzo Related Posts</li>
<li>Yellow Pencil Visual Theme Customizer Plugin</li>
<li>Easysmtp</li>
<li>WP GDPR Compliance Plugin</li>
<li>Newspaper Theme on WordPress Access Control (CVE-2016-10972)</li>
<li>Thim Core</li>
<li>Google Code Inserter</li>
<li>Total Donations Plugin</li>
<li>Post Custom Templates Lite</li>
<li>WP Quick Booking Manager</li>
<li>Facebook Live Chat by Zotabox</li>
<li>Blog Designer WordPress Plugin</li>
<li>WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)</li>
<li>WP-Matomo Integration (WP-Piwik)</li>
<li>WordPress ND Shortcodes For Visual Composer</li>
<li>WP Live Chat</li>
<li>Coming Soon Page and Maintenance Mode</li>
<li>Hybrid</li>
</ul>
<h2>Combatting an evolving landscape of security threats</h2>
With hundreds of millions of active websites across the globe, hackers are having a field day.
According to <a href="https://www.securitymagazine.com/articles/98695-leading-cyber-risks-and-trends-in-2022" target="_blank" rel="noopener">Security Magazine</a>, cyberattacks are on the rise and becoming more sophisticated by the day. Among the top threats in 2022, malware led the pack, representing the highest cost of damage to organizations.  
WordPress, as mentioned, continues to be a growing vector. Case in point: <a href="https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html" target="_blank" rel="noopener">The Hacker News recently reported</a> on another <a href="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites" target="_blank" rel="noopener">Go Trim botnet attack</a> that targeted WordPress website administrator accounts. Botnet malware has the capability to bypass traditional anti-bot protections, making sites even more vulnerable to the standard bot-evasion techniques.
But all is not lost. WordPress CMS administrators can fight back by adopting solid policies around their security practices. By vetting all plugin source code via an experienced DevSecOps team, many vulnerabilities can be uncovered before a plugin is pushed to production. This can augment strong password policies and the use of multi-factor authentication to reduce the surface area for would-be attackers.
WordPress websites can also be hosted in more secure environments like <a href="https://www.cmscritic.com/wp-engine-releases-worlds-first-study-of-the-wordpress-economy-cites-awe-inspiring-numbers/">WP Engine</a>, which disallow certain plugins and themes due to security or performance issues.

New Linux Malware Targets Plugins to Backdoor WordPress CMS Websites

mk-patterson

Hackers love websites. Maybe that's overstating the obvious, but in today's hyperconnected digital world, it can't be understated. <a target="_blank" href="https://www.webarxsecurity.com/website-hacking-statistics-2018-february/">According to McAfee</a>, hackers produce 300,000 new pieces of malware daily – and on average, 30,000 new websites are hacked every single day.The fact is, websites are easy targets. Not only are they abundant, but they're frequently built using open source technologies – meaning they're littered with holes that can be easily exploited.Most website owners have no idea how vulnerable they are until they've been hit. And with hackers sinking their teeth into financial data, patient records, IP, and more, a single breach can significantly damage a brand or even sink a business.While <a target="_blank" href="https://www.cmscritic.com/gutenberg-2-years-later-is-wordpress-better-off/">WordPress</a>, Joomla, and <a target="_blank" href="https://www.cmscritic.com/drupal-8-8-0-released/">Drupal</a> continue to own the open-source content management (CMS) market, they also represent the largest collection of security vulnerabilities. In fact, according to the 2020 <a target="_blank" href="https://www.dimensiondata.com/en-gb/insights/global-threat-intelligence-report-2020">Global Threat Intelligence Report</a> from Dimension Data, almost 20% of all website attacks targeted these platforms – with WordPress owning the lion's share.Regardless of what software you're using, web security can feel like a never-ending game of "hide and seek." Hackers find holes in both modern and legacy web applications, and developers scramble to patch them as soon as possible – and the cycle repeats. But the biggest vulnerabilities often exist in layers that website owners take for granted like HTML5, Single Page Applications (SPA), and even password-protected web assets.The sharks are always circling. That's why security has become an essential part of any serious website or web application strategy. Historically, this required an expensive, multi-layered approach, combining both hardware and professional services. But now, you can automate your security processes with Netsparker: a powerful yet easy-to-use solution that's purpose-built for websites and web applications.In this review, we'll take a deeper look at Netsparker and how it can help website admins identify weak spots in their service. We'll tour its crawling and scanning tools and how it's designed to help maintain governance with domains, certificates, compliance, and more – so you can stay one step ahead of the threats.<h3>What is Netsparker?</h3>Netsparker is an automated yet fully configurable Enterprise DAST (Dynamic Application Security Testing) utility that enables you to scan websites, web applications, and web services to identify security flaws. Netsparker can scan all types of web apps – regardless of the platform or language they're built with – making it incredibly extensible.Netsparker operates on what they call "Proof-Based Scanning," which automatically verifies detected vulnerabilities and confirms whether they're false positives by exploiting them in a safe, read-only manner. Here's a video overview of how it works:<figure class="media"><div data-oembed-url="https://www.youtube.com/watch?v=uF9eGAfBh8A"><div style="position:relative;padding-bottom:100%;height:0;padding-bottom:56.2493%"><iframe src="https://www.youtube.com/embed/uF9eGAfBh8A" style="position:absolute;width:100%;height:100%;top:0;left:0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></div></div></figure>With Netsparker's scanning technology and automatic verification, you don't have to be a seasoned security professional to conduct thorough scans. You always know which results are actionable issues and not false positives, so you can prioritize your response.Netsparker is designed with productivity in mind. For example, you can send notifications and automatically assign vulnerabilities to developers, allowing you to patch web applications in real-time to maintain security. Bypassing expensive SecOps staff also means you save time and money on conducting regular scans, letting the cybersecurity pros focus on more complex issues.<img src="https://cmscritic.com/ms-content/uploads/2023/08/eliminate-the-uncertainty-of-false-positives.png" /><h3>Features</h3>There are a lot of security utilities on the market, but few that make vulnerability scanning at the web layer as streamlined as Netsparker. Not only is it easy to navigate and manage, but it gives both an individual user and an enterprise team access to integrated data and insights. We'll talk more about that when we cover Netsparker's product editions, but their central repository is one of the features that sets it apart within the cybersecurity landscape.First, let's cover some of the core capabilities that really stand out.Dashboard Security data can get complex – and fast. But this is where Netsparker really shines. With their visual dashboard, you get a holistic snapshot of your websites, scans, and active vulnerabilities in a single window. Intuitive graphs allow your team to track the severity of threats, assess your overall threat level, and automatically categorize the nature of your vulnerabilities from low to critical.<img src="https://cmscritic.com/ms-content/uploads/2023/08/netsparker-featured-image.png" />From the dashboard, you can also manage permissions for your users and groups, as well as assign team members to specific security tasks or establish security policies for your organization.Proof-Based Scanning™ As previously mentioned, Netsparker’s "Proof-Based Scanning" safely exploits any found vulnerabilities and automatically creates a proof-of-exploit or proof-of-concept to validate that it's real – and not a false positive. The process is further streamlined with automated notifications that assign vulnerabilities to developers, and patch web application firewalls in real-time to help maintain security.Vulnerability Scanning Identifying vulnerabilities is the most important mission for any web vulnerability scanner. Netsparker can spot all types of web application vulnerabilities, including multiple variants of the most common weaknesses such as <a target="_blank" href="https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/">SQL injection</a> and <a target="_blank" href="https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/">cross-site scripting (XSS)</a>. Most direct-impact vulnerabilities are also automatically confirmed, so you can be confident that these results are not false positives.Vulnerability Details and Reporting<img src="https://cmscritic.com/ms-content/uploads/2023/08/blind_sql_injection.png" />Every vulnerability uncovered by Netsparker is accompanied by detailed reporting that helps security teams and developers to not only fix issues but understand them. Vulnerabilities are also automatically tagged with a security severity level, denoting the potential damage they can do – and the urgency required to fix them.While Netsparker offers a number of out-of-the-box reports with different visualization options, you can also render your own custom report templates. Additionally, you can generate compliance reports that cover ISO27001, HIPAA, and other critical regulatory benchmarks – and you can have your PCI DSS reports <a target="_blank" href="https://www.netsparker.com/pci-vulnerability-scan/">validated by third-party entities</a> to ensure governance requirements.Armed with rich, in-depth information and remediation guidance, your experts can eliminate the root causes of vulnerabilities, write more secure code in the future, and meet fierce compliance with dynamic reporting.Built-In Assessment Tools<img src="https://cmscritic.com/ms-content/uploads/2023/08/http_request_builder.png" />To help teams optimize scanning and manual testing, Netsparker features a number of advanced web security tools that work with modern and legacy web languages and technologies.<ul><li>HTTP Request Builder: You can use the <a target="_blank" href="https://www.netsparker.com/blog/docs-and-faqs/http-request-builder-penetration-testing-tool/">HTTP Request Builder</a> to create your own HTTP requests and modify imported requests. This is extremely useful for performing manual vulnerability assessments and troubleshooting complex issues like identifying logical vulnerabilities.</li><li>Encoding and Decoding Tools: Text encoding and decoding is a vital feature when manually crafting and modifying test payloads. To save precious time during manual vulnerability assessments, Netsparker includes a text encoder and decoder that supports multiple encoding schemes, including URL, HTML, Base64, UTF7, MD5, SHA1, SHA256, SHA512, and others.</li><li>ViewState Viewer: When security scanning ASP.NET and modern .NET web applications, Netsparker extracts ViewState data from HTTP requests and responses generated during scanning. The ViewState data is displayed in a separate preview tab for easier troubleshooting.</li><li>Asset Discovery: Another proactive security measure, Netsparker's Asset Discovery service continuously scans the Internet to discover your assets based on numerous variables – including IP addresses, top-level and second-level domains, and even SSL certificate information.</li></ul><h3>Plans</h3>Netsparker offers a few different plans based on your needs: Standard, Team, and Enterprise. The naming is fairly intuitive – and so is the pricing – but we'll explore each tier in more detail below.One quick note worth mentioning: Netsparker Standard and Netsparker Enterprise are actually designed to <a target="_blank" href="https://www.netsparker.com/support/integrating-netsparker-standard-with-netsparker-enterprise/">integrate with each other</a>. This basically means that Enterprise includes Standard, and can synchronize and share data using a central repository. Use whichever edition best suits your needs – from one desktop scanner for a single site to hundreds via API – and share the results with your entire team.And one more thing: Netsparker provides 24-hour email, phone, and remote screen support Monday through Friday. They boast a 98% customer satisfaction rating on their website FAQ, and their product reviews seem to reflect that.Netsparker Standard Netsparker Standard is perfect for small and medium-sized businesses. The on-premises desktop scanner helps protect commercial and open-source web products, websites made by third parties, and custom web applications. If you have websites built on a popular CMS, an eCommerce shop on a platform solution, or a home-grown web application, Netsparker Standard is an ideal choice for up to 20 websites.Netsparker Standard is available as a Windows application with built-in penetration testing and reporting tools, many of which allow for fully automated security testing. You also get access to their crawling and scanning features, reporting, policy tools and more.Netsparker Team Netsparker Team is made for larger organizations seeking a complete vulnerability assessment and management solution with collaboration in mind. Netsparker Team helps streamline workflows for up to 50 websites, and unlike Standard, it's all accessed via Netsparker's REST API.Netsparker Team includes all of the essentials from Standard, like crawling, reporting, and tools – but also provides a multi-user platform with native CI/CD, messaging, and business workflow systems. It also features Netsparker's PCI Compliance Scanner, which brings greater value to websites with significant paycard data transactions.Netsparker Enterprise Netsparker Enterprise is a comprehensive security platform designed for large organizations with significant web properties and assets. Like Team, it is an API-driven, multi-user scanning solution with dynamic built-in workflow tools. The big difference is scalability: if you have over 50 websites you're managing, Enterprise brings hosted account options to the table that empower your teams with dedicated support and resources. You also get access to custom authentication for OAuth2, Single Sign-On (SSO), client-side certificates, and more.Netsparker Enterprise is really designed to <a target="_blank" href="https://www.netsparker.com/online-web-application-security-scanner/sdlc-integration/">integrate seamlessly into the software development lifecycle</a>, allowing DevOps and SecOps teams to scan thousands of web applications and services as they are being developed, tested, or running in production. This makes Enterprise an ideal tool for software teams as they push new products and features to market, ensuring that they meet security and compliance requirements from end to end.<h3>Pricing</h3>Netsparker is an incredibly well-reviewed product, and based on our own experience, it delivers both the functionality and simplicity it claims. They also get points for a cool slider on their <a target="_blank" href="https://www.netsparker.com/plans/">Product &amp; Plans</a> page, which helps recommend a tier based on the number of websites you're scanning. This makes it easy (and maybe even a little fun) to determine which product is right for your needs.Here's how the tiers break down:<ul><li>1-20 websites: Standard plan</li><li>21-49 websites: Team Plan</li><li>50 + websites: Enterprise Plan</li></ul>Unfortunately, that's all you get: a recommendation. They don't provide a price, but it's reasonably clear that it's based in part on the tier itself and the number of websites you'll be scanning. Each plan progressively builds on the previous, allowing you to scale seamlessly. And as mentioned, the Enterprise edition includes the Standard edition desktop scanner as part of the suite.OK, so no price transparency. That requires a demo and a phone call for a custom quote. But the good news is that you can try Netsparker for free today with just a few basic steps. And once you're using it, you'll worry less about price – and wonder how you ever got by without it.<h3>About Netsparker</h3><a target="_blank" href="https://www.netsparker.com/">Netsparker</a> is the leading Enterprise DAST (Dynamic Application Security Testing) solution and the only product that delivers automatic verification of vulnerabilities with exclusive pre-scan automation and Proof-Based Scanning™ technology. Netsparker scans any type of web application, provides actionable results, and integrates with company workflow tools to close the loop between IT and developers. It identifies vulnerabilities from the early stages of application development through production. With global headquarters in London and North American headquarters in Austin, Texas, Netsparker serves customers worldwide in the technology, professional services, banking, and government markets, including many Fortune 500 companies. Netsparker is part of <a target="_blank" href="https://c212.net/c/link/?t=0&amp;l=en&amp;o=2947090-1&amp;h=30600359&amp;u=https%3A%2F%2Fwww.invicti.com%2F&amp;a=Invicti+Security">Invicti Security</a>, the leading global provider of dynamic application security testing products.

Netsparker Review: Web Application Security and Vulnerability Scanner

paris-tuzun

Power your CMS on AWS

Manage your websites & apps in the most trusted cloud.

#ffffff

The sad truth of the matter is that there are plenty of ways for intruders (and those with bad intentions) to cause website owners a ton of grief. This can range from attacking your website for the purpose of simply taking it down to attempting to hack it to spread malware. To combat this, it's important to be prepared. In this article, we'll share with you how to secure a website in 5 steps.
In fact, a <a href="http://www.wpwhitesecurity.com/wordpress-news/statistics-70-percent-wordpress-installations-vulnerable/">study conducted by WP White Security</a> found that 73% of all WordPress installations contained known vulnerabilities that would have quickly and easily been found through the utilization of automated tools.
It’s these types of security holes that have resulted in cyber criminals hacking into over 170,000 back in 2012 alone – a number that is probably even higher by now.
<img src="https://cmscritic.com/ms-content/uploads/2023/08/how-to-secure-your-cms.jpeg" alt="how-to-secure-your-cms" />
<h2>What makes websites vulnerable to hacking?</h2>
Websites are appealing targets to hackers for a wide variety of reasons, mainly the number of weak entry points – such as the numerous plugins available for CMS like WordPress.
Many people assume that, because CMS like WordPress and Drupal are highly popular and recognized names, there must be some form of protection. They can’t just leave all of their users vulnerable, right?
Think again.
CMS are inherently open to attack because of the fact their foundation is an open source framework. These types of shared development environments have myriad benefits, but they also come with just as many issues.
Because of the popularity of the top CMS available out there, the security holes within these systems are actively being identified and targeted, both by the good guys (security research teams) and the bad guys (cyber criminals).
Once these holes have been found, they turn that particular CMS into treasure troves of data for cyber criminals, even to the point of creating an entry point for automated attacks on a massive scale.
To add salt to the wound, there are users who use the same passwords for all of their accounts, or even just use weak passwords. These leave their admin accounts open to attacks, even if they aren’t aware of it. This can result in their websites being injected with all sorts of malware and escalating the issue beyond the point of control.
These issues can even result in the websites becoming blacklisted by Google and other search engines, which adversely affects their business or brand as a whole.
<h2>How to get started securing a website</h2>
There are numerous things users can do to secure a website against vulnerabilities and fortify their systems from attack.
These include:
<h3>Using a strong password</h3>
To begin with, if your website is powered by a popular CMS such as WordPress, you want to makes sure that you secure it with a very strong password. Hackers and anyone using a WordPress website themselves are very familiar with how to access the administration interface and begin attempting to login.
Even if you are not using WordPress, it doesn't take much effort to scan a website for a login / admin interface so be sure that if someone DOES find this interface, they have no chance of logging in and taking over your website.
<h4>How to set up a strong password to secure a website</h4>
Always secure with a strong password to make this process harder for hackers and other cyber criminals. Additionally, you’re going to want to hash the password(s) you use by implementing a <a href="https://auth0.com/blog/hashing-passwords-one-way-road-to-security/">slow hashing algorithm</a>.
BONUS: Block the IP for at least one minute after x amount of password authentication failures. Three is the recommended amount of attempts before IP blocking.
Use a secure password generator to create something that is next to impossible to guess: <a href="https://www.lastpass.com/password-generator">LastPass Secure Password Generator</a>
<h3>Having a firewall in place is another important way to secure a website</h3>
Setting up a firewall will not only further secure your website / CMS, but it will also help you keep an eye on suspicious activity and track them by providing a related IP address for the source of that activity.
Once you’ve detected and found suspicious activity, you can then blacklist the IP the firewall provided.
Having said that, if you are not the type who wants to have to do these things manually, then it's a good idea to put in place a security service to do so for you. Most of the offerings out there are relatively reasonable in price and will save you a lot of headaches.
<h4>Our recommended website security company:</h4>
SiteGuarding.com
I recommend putting in place a website security service such as <a href="http://bit.ly/cc-siteguarding">SiteGuarding.com</a> to keep your website safe from hacking attempts. SiteGuarding is a security service that protects your website against malware and hacker exploits.
<h3>3 . ALWAYS Backup your CMS</h3>
This is one of the most essential aspects of CMS and website security and is actually just an overall good habit to have.
Have a backup system in place that will make it possible to recover your website in the event something happens. Always make sure your backups are updated as much as possible to avoid any security vulnerabilities or further problems down the road.
BONUS: Make sure your CMS and any extensions it may have are updated. These upgrades should be double-checked to ensure they are fully compatible with your system before you allow or make them. Of course, you’re always going to want to backup your CMS before conducting these updates.
If you currently don't have a means of backing up your website, we recommend going with a solid hosting company that offers this service for free.
Here are a few we recommend that have daily backups:
<ul>
<li><a href="http://www.anrdoezrs.net/click-7040701-10833186">GoDaddy</a></li>
<li><a href="https://kinsta.com?kaid=QQMMZOGRMCQE">Kinsta – If you run WordPress</a></li>
<li><a href="https://www.bluehost.com/">BlueHost</a></li>
</ul>
<h3>4 . Protect against SQL-injections</h3>
An SQL-injection is a cyber attack that embeds malicious code within your CMS and its backend database. Once it’s in there, that malicious code then creates database query results and / or actions that you definitely do not want executed.
There are several types of SQL-injections and they enable the cyber criminal to do a whole variety of things. These include:
<ul>
<li>Editing, deleting, reading, or adding to the content of your CMS</li>
<li>Accessing and reading source code from the files on the CMS server</li>
<li>Write files to the server</li>
</ul>
While it is true that any one of those things relies heavily upon the capabilities of the cyber criminal, any SQL-injection can still lead to you losing control of your database and web server.
In order to prevent this from happening, <a href="https://www.netsparker.com/blog/web-security/understanding-sql-injection-protection/">use prepared statements</a>, as these separate the structure and data. This allows the SQL server to interpret them without being open and vulnerable to a hacker that is trying to alter the structure of the SQL query for their own malicious purposes.
The best way to protect against these is to implement a website security service that will keep your site protected against attacks. Here's an example of an excellent one: <a href="http://bit.ly/cc-siteguarding">Site Guarding</a>
<h3>5 . Get an SSL Certificate</h3>
An SSL certificate (secure sockets layer) is the standard security technology that is used to produce an encrypted link that goes between the web server and the browser. It is this link that will ensure that the data that goes between the server and the browser will stay private and secure.
Adding an SSL certificate to your domain will not only add an additional layer of security to your CMS, but will also help with SEO because it tends to get your website ranked higher in search engines.
If you don't yet have an SSL certificate, <a href="https://shareasale.com/r.cfm?b=1188781&amp;u=407830&amp;m=46483&amp;urllink=&amp;afftrack=">get one here</a>.
<img src="https://cmscritic.com/ms-content/uploads/2023/08/how-to-secure-your-cms-1.jpeg" alt="how-to-secure-your-cms-1" />
<h2>Final Thoughts</h2>
Website security is one of those things that can truly be considered a “Catch-22” type of situation.
The more cyber criminals are out there trying to gain access into people’s CMS, the more security researchers crack down on it and come with new methods of protection. The greater the security becomes, the harder the cyber criminals will work to gain access – and they do like challenges.
It’s really an ongoing battle that is seemingly without end.
But, where does that leave you and your CMS?
It’s hard to say for sure where your CMS lies within the cyber criminal-infested waters, but there are things you can do to ensure your CMS is as secure as you can possibly make it. These five methods of security will help reduce threats to your CMS and help keep your data out of jeopardy.

How to Secure a Website in 5 Steps

mike-johnston

Best Video Experience

Give your audience the best video experience

#000000

Explore a wide range of informative articles on security, insights, and industry updates. Stay informed and ahead of the curve with our diverse collection of news and posts covering the latest trends and developments in the industry