New York City has always been a place that people flock to—to live, to work, to visit, or to play. It’s big and exciting, and there’s almost always something happening: a new play, a new exhibit, or a new restaurant opening.

According to a 2024 report by venture capital firm SignalFire, NYC experienced a tech boom in 2023, becoming the top destination for people relocating with tech jobs, with around 15 percent of them choosing the Big Apple as their destination.

This isn’t the first time the city has seen an influx of technology workers; the 1990s tech boom saw Manhattan’s Flatiron District take off as a hub for high-tech companies, even going so far as to being nicknamed “Silicon Alley.”

That area has since spread, moving its way downtown to Soho, west to Hudson Yards, and more recently over the bridge(s) and into Brooklyn—specifically Dumbo, the Brooklyn Navy Yard, and Downtown Brooklyn, forming the Brooklyn Tech Triangle.

Dumbo, which stands for “Down under the Manhattan Bridge overpass,” is situated between the Brooklyn and Manhattan Bridges on the East River waterfront. The popular neighborhood has great views of Manhattan and the bridges, and an ever-expanding food and drink scene to keep you fed while working and making time to play.

Where to Stay

Courtesy of 1 Hotel Brooklyn Bridge

60 Furman St., (347) 696-2500

If you’re going to stay in Dumbo, you’re going to want views of the Manhattan skyline, the East River, and the iconic bridges that extend between the two, and 1 Hotel Brooklyn Bridge offers that and more. Yes, there is a gym and spa, but there’s also a rooftop pool, which comes in quite handy on those stupidly hot summer days. James Beard Award–winning restaurateur Jonathan Waxman recently brought his iconic West Village restaurant, Barbuto, to the hotel. On the 10th Floor, find Harriet’s Lounge for sushi, bao buns, and wagyu toasts. From 10 pm on Friday, Saturday, and Sundays, listen to live DJs spinning sets while you enjoy craft cocktails and the view.

Don’t forget to end the day with a sustainable drink (or two) at Harriet’s Rooftop, just one floor up from the lounge, for more iconic sunset views. The hotel is pet-friendly, and there’s a café serving espresso, fresh-pressed juices, and artisanal and locally sourced snacks. There’s also a farm stand in the lobby daily from 7 am to 4 pm; grab seasonal fruits that, while they may look “ugly,” are perfect in taste, and all part of the hotel’s sustainability mission.

85 Flatbush Ave Ext., (718) 329-9537

About a 10-minute walk to the bridges and Brooklyn waterfront, The Tillary is a slightly more affordable stay for the area, but still boasts a lobby cafe and rooftop garden bar. Featuring pet-friendly rooms and a fully-equipped gym, this hotel is a great option for still being close to the action, but saving a bit more money. The lobby café offers an affordable range of options (think $4 for an English muffin with egg and cheese and up to $14 for a vegetarian wrap), while the rooftop has a variety of sandwiches, salads, and beverages (both n/a and boozy) to keep you from needing to stray too far.

Courtesy of Ace Brooklyn

252 Schermerhorn St., (718) 313-3636

Technically in Boerum Hill, bordering Downtown Brooklyn, the Ace Hotel is a boutique hotel with trendy furnishings and warm vibes, plus a fitness center. They feature a rotating artist in residence and DJ’s spinning in the lobby most weekend nights. For food, there’s Lele’s Roman, featuring a rotating selection of Roman Aperitivo bites daily from 5 to 7 pm, or hit them up for breakfast (lots of egg options!), lunch (panini, pizza, salad!), and dinner (pasta! pizza! classic contorni!). Don’t feel like Italian? Try Koju for an omakase experience set to a carefully curated vinyl music program.

Where to Work

Photograph: Michael Lee/Getty Images

68 Jay St., (718) 210-3650

Whether you’re looking for fully enclosed office spaces monthly or long-term, a coworking space, or a conference room, Greendesk has got you covered for a very reasonable price. The space is fully furnished with 24/7 access, high-speed internet, kitchens, and a cleaning service.

Multiple locations

From the SOHO House team, SOHO Works is a network of office spaces; rent a meeting room or use the shared lounge space, plus get access to SOHO member events and amenities. Work at either location—10 Jay Street or 55 Water Street—by the hour or rent by the day.

295 Front St., (347) 414-8782

Located in Vinegar Hill, the Bond Collective has numerous options for you to work, whether you need a dedicated desk, private office, team suite, conference rooms, coworking, or simply a day pass. You’ll have 24/7 access, Wi-Fi, fruits, snacks, and breakfast, plus unlimited printing.

Where to Get Your Coffee

Courtesy of Jacques Torres Chocolate

66 Water St., (718) 875-1269

Located on Water Street and open daily from 10 am to 7 pm, this flagship location of the famous chocolatier is where it all began 25 years ago. Here, you’ll find handmade confections, hot chocolate, and ice cream sandwiches. Sample it all, then grab a few things to take with you to share with friends (or not—sharing is overrated).

85 Water St., (718) 797-5026

Almondine has been in Dumbo for over 20 years. Opened by French baker Herve Poussot, this unpretentious bakery thrives on tradition, innovation, and evolution. You’ll feel as though you’ve been transported right to Paris with the fresh bread, croissants, and cakes. They even have a daily lunch special from 12 to 3 pm; choose from a half sandwich, then pair it with a soup, salad, cookie, and half-priced drink for only $18.

45 Washington St., (212) 924-7400

Grab a coffee here before strolling down Washington Street (it’s literally located at one of the most iconic spots that people snap photos of the bridge, so beware of influencers posing in the middle of the street) to the waterfront for a nice break and some fresh air.

Where to Eat

Courtesy of Vinegar Hill House

72 Hudson Ave., (718) 522-1018

This is the place you go when you want a relaxed environment with incredible food in cute surroundings. Dining in the outdoor garden is cozy and comforting, while the inside is vintage-inspired and laid back. The menu, while also simple and comforting, is consistent and hits every time.

68 Jay St. #119

Open Tuesday to Friday from 10 am to 2-ish, this unassuming French-style bakery from Ayako Kurokawa is tucked away in the lobby of 68 Jay Street. The pastries, though French in style, are inspired by Kurokawa’s Japanese upbringing. Scones, cookies, cakes, and slices of pie are all served on silver platters, with handwritten labels on blue paper. The gateau basque is a popular item; go early, as they sell out daily.

1 John St., (718) 522-5356

Opened in 2017, Celestine is the kind of spot that feels chill enough to be your neighborhood go-to, while also special enough to go for a celebration. The menu includes thoughtful vegetable-heavy starters and sides, as well as whole branzino and a 14-ounce ribeye. With floor-to-ceiling windows, there’s not a bad seat in the house to enjoy your meal with a view of the East River and all its happenings.

147 Front St.

This intimate, 10-seat chef’s counter offers a tasting menu and à la carte menu, featuring oysters, crudo, and natural wines by the glass. Try the caviar Frito pie: an open bag of Fritos topped with entirely too much caviar and creme fraiche.

1 Front St., (718) 858-4300

Originally opened in 1990 by Patsy Grimaldi and his wife, Carol, Grimaldi sold the business in 1998 to Frank Ciolli. Grimaldi is of the Patsy’s of Harlem lineage (Patsy is his uncle, from whom he learned to make pizza at age 12). In 2000, Grimaldi’s moved locations next door to their original spot where they continue to sell whole pies in a coal-fired oven.

19 Old Fulton St., (718) 596-6700

If you like a side of gossip with your slice, then Juliana’s is the place to go. Patsy and Carol Grimaldi opened Juliana’s in the original Grimaldi’s location at 19 Old Fulton Street in 2012, which caused a stir in the pizza community, since it’s located next door to Grimaldi’s, their previous business. They even got their original coal-fired oven back. Named after Patsy’s mother, Juliana’s serves coal-fired pizza, meatballs, and salads. They also sell four flavors of par-cooked pies to “take & bake” at home. Try an egg cream—a New York City classic of milk, chocolate or vanilla syrup, and seltzer made frothy by whisking the three ingredients vigorously until foamy. Grub Street called it the best in the city in 2017.

Disney+ has three new TV shows that really caught my eye in March, and I’m confident there’s something to suit everyone here.

Better yet, a Hulu original has made its way onto this list, so you don’t have to flip through the best streaming services to find some great entertainment. Everything I’ve highlighted here is waiting for you on Disney+, whether you’re down for a gritty Marvel comeback or a Disney Channel classic.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies on Wednesday to patch their systems against an actively exploited n8n vulnerability.

n8n is an open-source workflow automation platform widely used in AI development for automating data ingestion, with over 50,000 weekly downloads on the npm registry and over 100 million pulls on Docker Hub.

As an automation hub, n8n often stores a wide range of highly sensitive data, including API keys, database credentials, OAuth tokens, cloud storage access credentials, and CI/CD secrets, making it an extremely attractive target for threat actors.

Tracked as CVE-2025-68613, this remote code execution vulnerability allows authenticated attackers to execute arbitrary code on vulnerable servers with the privileges of the n8n process.

“n8n contains an improper control of dynamically managed code resources vulnerability in its workflow expression evaluation system that allows for remote code execution,” CISA said.

“Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations,” the n8n team added.

The n8n team addressed CVE-2025-68613 in December with the release of n8n v1.122.0 and also advised IT administrators to apply the patch immediately. Admins who can’t immediately upgrade can limit workflow creation and editing permissions to fully trusted users only, and restrict operating system privileges and network access as temporary mitigation measures to reduce the impact of potential exploitation.

Internet security watchdog group Shadowserver tracks over 40,000 unpatched instances exposed online, with more than 18,000 IPs found in North America and over 14,000 in Europe.

​CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their n8n instances by March 25, as mandated by a binding operational directive (BOD 22-01) issued in November 2021.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Although BOD 22-01 applies only to federal agencies, CISA has encouraged all network defenders to secure their systems against ongoing CVE-2025-68613 attacks as soon as possible.

Since the start of the year, the n8n security team has addressed several other severe vulnerabilities, including one dubbed Ni8mare that allows remote attackers without privileges to hijack unpatched n8n servers.

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

“Do you remember the world before cellphones?”

The question comes early in Your Attention Please, a documentary premiering this week at South by Southwest in Austin, Texas. And it hit me harder than I expected. As a 27-year-old tech reporter, I realized I don’t have too many clear memories of life before smartphones. My adolescence unfolded alongside the rise of smartphones, social media, push notifications and the routine of endless scrolling. Like many people my age, I’ve spent most of my life inside the attention economy — without ever really stepping outside it.

That’s the uneasy territory the documentary explores. 

CNET was given exclusive early access to the film’s trailer, embedded below.

Exploring how tech shapes our behavior

Director Sara Robin said she originally set out to make something smaller: a documentary about people trying to reclaim their attention by breaking unhealthy phone habits. In an interview with CNET, Robin described the idea as a personal story about focus and self-control in an age of constant distraction.

As Robin interviewed researchers, technologists and families affected by social media and cyberbullying, the film’s scope widened. What started as a question about individual habits quickly became a larger investigation into how modern technology systems are designed to shape human behavior. The story stretches from the rise of social media to the emerging influence of AI. 

Along the way, Robin and her collaborators kept hearing the same observation from different corners of the digital world: Social media didn’t just change how people communicate; it quietly rewired what we value. Experiences that were once private or emotional — friendship, affection, belonging — began to acquire numerical equivalents. Followers, likes, comments, views and shares began to be how we saw our own self-worth. In the architecture of social platforms, those numbers function as a kind of social currency.

Trisha Prabhu, a digital-safety advocate and inventor of the anti-cyberbullying technology ReThink, argues that social platforms did more than create new online spaces. She says they fundamentally reshaped how social validation works. The metrics that define popularity often reward attention-seeking behavior and amplify conflict, while genuine connection is now harder to quantify and, therefore, easier to overlook.

Prabhu warns that the same dynamics already driving problems like cyberbullying could accelerate as automated systems become more capable. AI tools can generate abusive messages at scale, produce convincing impersonations or create deepfakes that spread rapidly online. In some cases, the technology may even blur the line between human interaction and machine-generated communication, which could deepen loneliness or encourage harmful behavior.

“There’s AI exacerbating existing harms [like automating cyberbullying], but then I also think that there’s AI creating completely new harms,” Prabhu told CNET. “There are reports of AI tools encouraging users, including minor users, to commit self-harm… Even for the everyday user who’s not experiencing the extreme outcome, I think we have to ask ourselves how much of our time and connection we want spent with an AI tool as opposed to a fellow human being.”

Bringing attention to attention

What struck Robin during filming the documentary was how universal these anxieties felt. Across conversations with families, educators and advocates around the world, the themes were remarkably consistent: overstimulated attention, declining focus in classrooms, rising anxiety among young people and a persistent sense of dread that comes from always being plugged in.

Those shared concerns have helped spark a coordinated moment around the film’s release.

On March 11, more than 25 organizations focused on digital well-being will simultaneously release the trailer for Your Attention Please as part of an initiative called Stand for Their Attention. What began as a small collaboration among five groups quickly grew as word spread through advocacy networks. The coalition now includes organizations such as Common Sense Media, Protect Young Eyes, Mothers Against Media Addiction, the Center for Humane Technology, Smartphone Free Childhood and Scrolling to Death. 

The idea behind the synchronized launch is simple: Use the attention surrounding the documentary to highlight the growing movement that’s already working to reshape digital culture. 

Many people feel overwhelmed by the scale of the problem, Robin says, but behind the scenes, a widening ecosystem of advocates is experimenting with ways to build healthier digital environments, from redesigning products to changing norms around screen use.

The campaign also arrives at a moment of growing scrutiny around the attention economy. Lawmakers in the US and abroad are increasingly debating how social platforms affect youth mental health and childhood development. Boycotts around AI use are taking off. Researchers are studying how these algorithms and chatbots influence behavior. Individuals are trying to figure out how much technology belongs in everyday life.

What can we do about it? 

Despite the weight of those conversations, Robin says the goal of the film isn’t to leave audiences feeling powerless. In fact, the rapid rise of public awareness around AI has made her more optimistic than she was during the early days of social media. The systems shaping digital life, she argues, are built by people, which means they can also be rebuilt.

“We have more power than we think,” Robin said. “And there are a lot of different ways to get involved in this, from changing individual habits to changing the culture in your own family and in your community, designing technology differently, getting engaged in these conversations, all the way to pushing for legislative change.”

The film intentionally avoids presenting a single solution.

Instead, Your Attention Please asks a broader question: What happens when attention, one of the most human parts of our lives, becomes one of the most valuable commodities in the global economy? And perhaps more importantly, what kind of digital world do we want to build next?

Samsung officially unveiled the much anticipated Galaxy S26 and S26 Plus on February 26, 2026 with some fresh upgrades over the Galaxy S25 and S25 Plus.

While it’s fair to say the Galaxy S26 Ultra has stolen many of the headlines once again this year, there’s still much to love with the rest of the Galaxy S26 range. The base model Galaxy S26, for example, sports a slightly larger 6.3-inch screen over its predecessor (6.2 inches), and its storage options now start at 256GB, double from the 128GB that the S25 started with. The battery also gets a boost to 4,300mAh, up from 4,000mAh.

The larger-screened Galaxy S26 Plus, meanwhile, retains the 6.7-inch display and 4,900mAh battery from its predecessor, and gets Samsung’s new Exynos 2600 chipset, with the Snapdragon 8 Elite Gen 5 chip reserved for the top-tier S26 Ultra. While the battery capacity is the same, the S26 Plus can be charged wirelessly at 20W, compared to the S25 Plus’ slower 15W wireless charging.

If you’re looking to buy outright, the range is available at retailers like Amazon, JB Hi-Fi and The Good Guys, with the first two offering trade-in options. Buying direct from Samsung will also let you pay in instalments of up to 24 months, and trade-ins are also available (including non-Samsung products). When paired with one of our best SIM-only plans, buying outright will be the best bang-for-buck option.

These are flagship phones, so the base model Galaxy S26 and S26 Plus won’t fit in our best cheap phones list. It also doesn’t help that both handsets are more expensive than the S25 lineup, with the base model S26 starting from AU$1,549 (up from the S25’s AU$1,399) and the S26 Plus from AU$1,849 (vs the S25 Plus’s starting price of AU$1,699). This would make paying in monthly instalments an attractive option for some.

While the retailers have finished their pre-order specials, Australia’s big three telcos still have some active deals of up to AU$500 off the handset price for the Samsung Galaxy S26 and S26 Plus (as well as the Galaxy S26 Ultra), with some also coinciding with existing promotions.

With so many options available to score a brand new upgrade, fInding the best plan for these new handsets may not be the most straightforward process, so we’ve done the hard work for you. Take a look at our picks for the best phone plans for the Samsung Galaxy S26 and S26 Plus below:

The best Samsung Galaxy S26 plan

The best Samsung Galaxy S26 Plus plan

The best Samsung Galaxy S26 plan with a smartwatch

Compare Samsung Galaxy S26 and S26 Plus plans

Outright Samsung Galaxy S26 and S26 Plus deals

• Samsung: pay in instalments of up to 24 months through Samsung financing; also save up to AU$865 when you trade in your old device
• JB Hi-Fi: trade in your old tech for a JB Hi-Fi gift card to be used on a Galaxy S26 series handset
• The Good Guys: Galaxy S26 and S26 Plus available in 256GB and 512GB
• Amazon: Same day delivery with the world’s biggest retailer

Samsung Galaxy S26 and S26 Plus: Key Information

Unfortunately, both the headline-grabbing Privacy Display and the gimbal-like horizontal lock video mode are only exclusive to the Galaxy S26 Ultra, so if you’re specifically looking for those features, you can check out the best Galaxy S26 Ultra plans.

Thanks to all our beloved AI companions, RAM prices have more than doubled in the last 6 months. As you may have guessed, the smartphone industry has been having some tough times with budget devices. To help solve this problem, HMD (remember the people who resurrected Nokia?) has announced a strategic partnership with Flipkart to bring its upcoming 2026 smartphone lineup to Indian consumers.

HMD Expanding Its Presence in India

HMD’s upcoming smartphone lineup will target multiple price segments between ₹10,000 and ₹20,000, catering to users looking for reliable devices with modern features at affordable prices. The first smartphone under the partnership is expected to launch in the coming months, followed by a phased rollout of several additional devices over the next two to four months. Specifics about the phones are not yet known, but we are due to get our hands on them. So, stay tuned.

The partnership will kick off with HMD’s first smartphone launch of 2026 in India, which will debut on Flipkart before reaching other online and retail channels. The goal is to leverage Flipkart’s extensive reach, logistics network, and consumer insights to make its smartphones more accessible nationwide.

Ravi Kunwar, CEO and VP of HMD India and APAC, said, “We are excited to collaborate with Flipkart as one of our key e-commerce partners as we gear up to launch the first HMD smartphone of 2026 in India. Flipkart’s extensive reach and strong consumer connect will play an important role in bringing our latest innovation to customers across the country.”

Commenting on the same, Ajay Veer Yadav, Senior Vice President at Flipkart, said, “Our strategic collaboration with HMD brings their upcoming smartphone portfolio to millions of consumers across the country. With our expansive distribution network and flexible affordability offerings, we are well-positioned to make cutting-edge devices more accessible and inclusive.”

New Research from WiCyS and FourOne Insights explores how skills-based cyber practices can positively impact employees and their organisations.

Women in CyberSecurity (WiCyS), the nonprofit organisation dedicated to the recruitment, retention and advancement of women in cybersecurity and FourOne Insights, a research and advisory firm, have released a new report. 

The ‘ROI of Resilience: How Cybersecurity Talent Management Best Practices Improve the Bottom Line’ study explores the financial impact of skills-based talent strategies in cybersecurity. To gather information WiCyS and FourOne Insights leveraged data from an original survey, job posting data from labour market analytics provider Lightcast, and professional social profile data, also from Lightcast.

What was discovered is that skills-based, talent-friendly practices often generate the highest returns for an organisation and its workforce. Data from the report indicated that mentorship opportunities and skills-based development increased retention by up to 18pc, with skills-based promotions improving the representation of women in cyber leadership by upwards of 10pc and in some cases, as much as 20pc. 

The report said: “These practices benefit the entire workforce and are especially valuable for women. Panels for promotion decisions, internal skills profiles and formal mentorship programmes all correlate with significantly higher representation of women in cybersecurity management roles.

“Organisations using these practices see 10pc to 20pc higher representation of women in cybersecurity leadership than firms that do not. Skills-based promotion criteria and linking incentives to demonstrated skill growth further strengthen both equity and financial performance.”

Addressing challenges

The research indicates that an awareness of skills-based and talent-conscious practices can be mutually beneficial for those operating within an organisation. In fact, they have the potential to deliver more than $125,000 in savings per employee, according to the report. But despite the merits of this system, the data also indicated that the adoption of these practices is uneven. 

The report said: “Despite the mutual benefit to employers and employees, many high-impact practices are among the least utilised. None of the highest-value practices are leveraged by more than 55pc of firms. 

“When companies do implement these practices, they often base them on unreliable, subjective data. This threatens worse talent outcomes for organisations, while limiting career development opportunities for individuals.”

But, third-party partnerships could potentially expand capacity and ease the adoption of talent and skills-focused practices. Almost 80pc of contributing respondents explained that they find access to supportive, career-based organisations such as WiCyS to be valuable, with many of the opinion that they create stronger professional networks than those created by an employer. 

According to the report, the firms that offer this kind of access tend to fill roles 16pc faster, retain workers longer and avoid significant productivity losses, when compared to those who don’t. “These partnerships provide capabilities such as peer learning, industry context, and trusted communities that are difficult for employers to build internally.”

Future ready

WiCyS’ and FourOne Insight’s research suggests that the companies attracting the strongest talent and meeting business objectives have a common approach, in that they ground their strategies in skills data, leadership actions and clear employee development opportunities.

“High-ROI practices, such as transparent promotion processes, executive sponsorship, access to upskilling and mentorship and engagement with trusted third-party partners, can consistently reduce hiring friction and support retention,” said the report. “Over time, they open advancement pathways that have historically been narrow, especially for women.”

The framework to ensure effective practices should include the assessment of workforce pain points, the planning of targeted interventions, execution with stakeholder buy-in and continuously evaluating outcomes. This, the report states, will create a “durable, self-correcting system that strengthens workforce resilience and ensures that opportunities are genuinely accessible to all talent, not simply expanded in name only”.

As for further research, the report suggests that those collecting data should explore how these practices influence broader indicators of organisational performance, including profitability and long-term resilience. 

“What remains clear is that in a tightening labour market, workforce resilience is a strategic imperative. Skills-based, talent-friendly practices, reinforced by strong third-party partnerships, offer a path to building that resilience at scale.”

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication.

The security issue, tracked as CVE-2026-2313, received a high severity score. It was discovered by Drew Webber (mcdruid), an offensive security engineer at Acquia, a software-as-a-service company that provides an enterprise-level Digital Experience Platform (DXP).

SQL injection flaws have been around for more than 25 years and continue to be a threat today, despite being well understood and technically easy to fix and avoid. This type of security issue occurs when user input is directly inserted into an SQL database query without proper sanitization or parameterization.

This allows an attacker to inject SQL commands that alter the query’s behavior to read, modify, or delete information in the database.

CVE-2026-2313 affects all Ally versions up to 4.0.3 and lets an unauthenticated attacker to inject SQL queries via the URL path due to improper handling of a user-supplied URL parameter in a critical function.

“This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context,” reads a technical analysis from WordFence.

“While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected.

“This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques,” the researchers explain.

Wordfence notes that exploiting the vulnerability is possible only if the plugin is connected to an Elementor account and its Remediation module is active.

The security firm validated the flaw and disclosed it to the vendor on February 13. Elementor fixed the flaw in version 4.1.0 (latest), released on February 23, and an $800 bug bounty was awarded to the researcher.

Data from WordPress.org shows that only about 36% of websites using the Ally plugin have upgraded to version 4.1.0, leaving more than 250,000 sites vulnerable to CVE-2026-2313.

In addition to upgrading Ally to version 4.1.0, site owners/administrators are also recommended to install the latest security update for WordPress, released yesterday.

WordPress 6.9.2, addresses 10 vulnerabilities, including cross-site request (XSS), authorization bypass, and server-side request forgery (SSRF) flaws. The new version of the platform is recommended to be installed “immediately.”

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Download The Report

Researchers say they have uncovered a takedown-resistant botnet of 14,000 routers and other network devices—primarily made by Asus—that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime.

The malware—dubbed KadNap—takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days in the operation.

A botnet that stands out among others

The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.

“The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. “Their intention is clear: avoid detection and make it difficult for defenders to protect against.”

Distributed hash tables have long been used to create hardened peer-to-peer networks, most notably BitTorrent and the Inter-Planetary File System. Rather than having one or more centralized servers that directly control nodes and provide them with the IP addresses of other nodes, DHTs allow any node to poll other nodes for the device or server it’s looking for. The decentralized structure and the substitution of IP addresses with hashes give the network resilience against takedowns or denial of service attacks.