CyberSecurity news

FlagThis

@Talkback Resources - 2d

WordPress Sites Vulnerable to Script Injection, PyPI Package Pirating Music

Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.

A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.
Original img attribution: https://s3.talkback.sh/media/screenshots/8d22ad29fb5dc80c7fe3e9844e550e00.png
ImgSrc: s3.talkback.sh

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
  • BleepingComputer: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
  • socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
  • bsky.app: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
  • Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
  • gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
  • bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
  • gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
  • aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
  • bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
  • Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Classification:
  • HashTags: #WordPress #XSS #PluginVulnerability
  • Company: WordPress
  • Target: WordPress websites, Deezer
  • Product: WordPress
  • Feature: Script Injection
  • Malware: automslc
  • Type: Bug
  • Severity: Major