What happened with the Shuffle.com data breach?

On October 10, Shuffle.com, a cryptocurrency betting platform, reported a data breach involving its third-party customer relationship management provider, Fast Track. The security breach exposed sensitive information belonging to the majority of Shuffle's user base.

Fast Track is a customer relationship management software used by Shuffle and numerous other companies in the online gaming industry. It provides real-time engagement platforms, player data management, automation, and bonus management services designed for online casino operators.

What types of information were exposed in the breach?

The compromised data includes full names, email addresses, physical home addresses, phone numbers, transaction and betting history, customer support message logs, limited payment information (including payment type and the last four digits of payment cards), and Know Your Customer (KYC) identity verification documents such as driver's licenses and passports uploaded for age verification purposes.

Were account passwords, login credentials, or player funds compromised?

No, Shuffle claims that account passwords, login credentials, and player funds were not compromised in this breach.

How many users were affected by the breach?

The number of affected individuals has not been disclosed, but Shuffle reports that the majority of its user base was impacted.

How will affected users be notified?

Shuffle sent official breach notification emails from team@shuffle.com to affected users.

What should Shuffle users do to protect themselves?

Shuffle warns users to be careful of phishing attempts and to ensure that two-factor authentication is enabled on their accounts. Users should remember that the platform will not ask for passwords or payments through email.

What is Shuffle doing in response to the breach?

Shuffle announced it is planning to discontinue its partnership with Fast Track and is exploring alternative solutions to enhance security and reduce risks associated with third-party services in the future.

Advisory

Critical vulnerabilities reported in WP Travel Engine WordPress plugin

published: Oct. 10, 2025

Take action: If you're using the WP Travel Engine plugin for WordPress, immediately update to version 6.6.8 or newer. The two flaws will be exploited very quickly, and you can't hide your WordPress from the Internet. Update the plugin, it's not that hard.

Learn More

Two critical security vulnerabilities are reported in WP Travel Engine plugin for WordPress, a travel booking plugin. Both vulnerabilities allow attackers to gain virtually complete control of affected websites.

The WP Travel Engine plugin is widely used by travel agencies and tour operators to enable website visitors to plan itineraries, browse various travel packages, and book vacation services directly through WordPress-powered websites.

Vulnerabilities summary

CVE-2025-7634 (CVSS score 9.8) Unauthenticated Local File Inclusion vulnerability. It's caused by improper control of the mode parameter within the plugin's code, which fails to adequately validate file path inputs. Unauthenticated attackers can exploit this vulnerability to include and execute arbitrary PHP files on the server, enabling them to run malicious code, bypass access controls, and obtain sensitive data.
CVE-2025-7526 (CVSS score 9.8): Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming vulnerability. It's caused by insufficient file path validation in the set_user_profile_image function that allows attackers to rename or delete arbitrary files anywhere on the server. By targeting critical system files such as wp-config.php, attackers can disable the website's configuration entirely, creating path for remote code execution.

Affected Versions are WP Travel Engine – Tour Booking Plugin – Tour Operator Software versions up to and including 6.6.7

The vulnerabilities have been addressed in WP Travel Engine version 6.6.8 and all subsequent versions.

Recommendations:

Site administrators and organizations using the WP Travel Engine plugin must update to version 6.6.8 or newer immediately. Given that both vulnerabilities can be exploited without authentication, prompt updating is essential to prevent unauthorized access and potential complete compromise of affected websites. The lack of authentication requirements makes these vulnerabilities particularly dangerous, as attackers can exploit them directly without needing to obtain user credentials or elevated privileges. Website owners should prioritize this update to protect sensitive customer data, booking information, and prevent potential service disruption to their travel booking operations.

Critical vulnerabilities reported in WP Travel Engine WordPress plugin

Read More
Simple Membership WordPress Plugin vulnerable to account creation, …
LayerSlider WordPress Plugin patches a critical flaw
Craft CMS zero-Day vulnerabilities actively exploited
Critical vulnerability reported in Yii 2 PHP framework
Critical vulnerability reported in RomethemeKit For Elementor WordPress …