Hackers Hijack WordPress, SonicWall Backup Breach, Oracle Data Theft – Cybersecurity News [October 06, 2025]
We are once again back with fresh news pieces highlighting the important news where major platforms and giant industries have been targeted. To start with, a critical WordPress flaw is being widely exploited to hijack administrator accounts, with over 13,800 attack attempts recorded. SonicWall confirmed that firewall backup files for all cloud backup customers were exposed in a breach, overturning earlier claims of limited impact.
Strengthen your email security with SPF, DKIM, and DMARC to prevent phishing, spoofing, and cyber threats in an increasingly targeted digital landscape.
Oracle rushed out an emergency patch for a zero-day in its E-Business Suite after Cl0p ransomware actors used it in large-scale data theft campaigns. Discord disclosed the fact that its registered users’ ID photos were exposed in the wild, while Florida’s Doctors Imaging Group reported a major breach affecting more than 171,000 patients, alongside incidents at Rectangle Health and Care N’ Care. Here are this week’s top updates.
Hackers Exploit Critical WordPress Flaw to Take Over Websites
A serious security bug in the popular Service Finder WordPress theme in the new talk out of the town. The technical exploit allowed hackers to break into operational websites and take over administrator accounts. The flaw, tracked as CVE-2025-5947 with a top-severity score of 9.8, lies in the bundled Service Finder Bookings plugin. It was discovered by a researcher known as Foxyyy and allows attackers to log in as any user without a password, simply by abusing the plugin’s weak cookie validation system. Once inside, attackers can completely hijack a site, adding malicious code, redirecting visitors to fake pages, or even using the site to host malware.
Security firm Wordfence has already recorded more than 13,800 attack attempts since August 1, 2025, though it’s unclear how many have been successful. The vulnerability affects all versions up to 6.0, and a patch was released on July 17, 2025, in version 6.1. With more than 6,100 customers, the theme is a widespread target. As is the case after every incident, the security experts are urging administrators to update their credentials immediately, review their access logs once, and check for any unauthorized intrusions or injected scripts to prevent a full site compromise and the distribution of malware.
SonicWall Confirms Breach Exposing Firewall Backup Files
SonicWall has confirmed that hackers were able to access firewall configuration backup files belonging to all customers who used its cloud backup service. These files contained encrypted credentials and configuration data, so while the information is still protected, it could, unfortunately, increase the risk of targeted attacks. The company is now busy alerting everyone affected and has provided remediation playbooks to help them assess and secure their devices. Users are strongly encouraged to log in to their MySonicWall accounts to check for impacted firewalls. Systems that face the internet have been marked as a high priority.
This new information is a big reversal from SonicWall’s earlier statement, which suggested that less than 5% of its customers were actually affected. In response to the breach, the company has strengthened its infrastructure, improved its logging, and brought in stricter authentication controls to prevent anything like this from happening again. Although the organisation has not yet shared precise details regarding the mishap but it is advising all their registered users and clients to reset their credentials with no further delay, to carefully check their settings and configurations for open ends as a safeguard procedure.
Oracle Zero-Day Exploited in Cl0p Data Theft Attacks
Security researchers have found a new Android banking trojan named ‘Datzbro’, which is spreading Oracle has pushed an emergency fix for a critical zero-day flaw (CVE-2025-61882) in its E-Business Suite that’s already being used in data theft attacks by the Cl0p ransomware group. The vulnerability is extremely severe, as it allows attackers to run code remotely without any credentials and completely take over the system’s Concurrent Processing component. Oracle has now patched the bug and shared details about the attackers, which include signs of activity from the Scattered Spider, LAPSUS$, and ShinyHunters groups, suggesting they may be working together.
Researchers from Mandiant, CrowdStrike, and others confirmed that Cl0p started exploiting this flaw in early August, using a complex exploit chain to steal vast amounts of corporate data. Because the threat is so active, the U.S. Cybersecurity and Infrastructure Security Agency, also known as CISA, has added the vulnerability to its Known Vulnerabilities Catalog, telling federal agencies to apply the fix by October 27, 2025. All other Oracle EBS customers are strongly advised to install the latest updates immediately and check their systems for any indicators of SoCs (Signs of Compromise).
Discord Breach Exposes 70,000 User ID Photos Through Third-Party Vendor
Discord, officially on this 03rd of October, revealed for a fact that official ID photos and support data for around 70,000 registered users were exposed after threat actors breached a third-party customer support provider. We now know for a fact that the organisation’s mainframe systems were not part of the selective compromise, yet the attackers managed to gain access through stolen credentials linked to an outsourced vendor. This is a perfect case study for understanding how third-party security assessments are vital to consider! The leaked data includes government IDs used for age verification, personal details, and messages with Discord’s support teams, but no passwords, full credit card numbers, or in-app chats were taken.
A group called Scattered Lapsus$ Hunters has claimed responsibility, demanding millions in ransom (a trick to overwhelm the target with hefty money bundles) for an inside settlement. As the news suggests,
- Discord has firmly refused to pay the participating actors.
- Have revoked the vendor’s direct access
- Promptly informed the law enforcement agencies a sper the compliance strategy.
- Directly informed the targeted users and victims of the incident.
Healthcare Organisations Disclose Data Breaches Impacting Over 200,000
Doctors Imaging Group, a Gainesville, Florida–based physician-owned radiology practice, has reported a data breach to the HHS Office for Civil Rights, as the majority of members were affected. The figure, as per the records, suggested, included 171,862 current and former patients. As part of the incident strategy, prime suspicious activities were detected within its computer network between November 5, 2024, and November 11, 2024. to be precise, as per the forensic reports. The digital forensic investigation confirmed that during the intrusion, files containing critical PII data of patients were copied in the open, and the integrity of the files was compromised.
The same report also highlighted breaches involving Rectangle Health in New York and Care N’ Care in Texas. Rectangle Health is a Valhalla-based software company, experienced unauthorised access to its Salesforce platform on August 14, 2025. The attack allegedly impacted 2,095 individuals, including 11 Maine residents, considering of stolen data such as names, dates of birth, and SSNs which is again critical PII data right! On a separate note, the organisation, coined as Care N’ Care, a Medicare Advantage health plan provider in North Texas, notified the Texas Attorney General of a hacking incident that targeted 32,452 Texas residents, with exposed data including names, addresses, dates of birth, Social Security numbers, medical information, and health insurance details.