Aug 1 2025
Google Confirms It Uses Something Similar To MUVERA via @sejournal, @martinibuster

Google’s Gary Illyes answered questions during the recent Search Central Live Deep Dive in Asia about whether or not they use the new Multi‑Vector Retrieval via Fixed‑Dimensional Encodings (MUVERA) retrieval method and also if they’re using Graph Foundation Models.

MUVERA

Google recently announced MUVERA in a blog post and a research paper: a method that improves retrieval by turning complex multi-vector search into fast single-vector search. It compresses sets of token embeddings into fixed-dimensional vectors that closely approximate their original similarity. This lets it use optimized single-vector search methods to quickly find good candidates, then re-rank them using exact multi-vector similarity. Compared to older systems like PLAID, MUVERA is faster, retrieves fewer candidates, and still improves recall, making it a practical solution for large-scale retrieval.

The key points about MUVERA are:

  • MUVERA converts multi-vector sets into fixed vectors using Fixed Dimensional Encodings (FDEs), which are single-vector representations of multi-vector sets.
  • These FDEs (Fixed Dimensional Encodings) match the original multi-vector comparisons closely enough to support accurate retrieval.
  • MUVERA retrieval uses MIPS (Maximum Inner Product Search), an established search technique used in retrieval, making it easier to deploy at scale.
  • Reranking: After using fast single-vector search (MIPS) to quickly narrow down the most likely matches, MUVERA re-ranks them using Chamfer similarity, a more detailed multi-vector comparison method. This final step restores the full accuracy of multi-vector retrieval, so you get both speed and precision.
  • MUVERA is able to find more of the precisely relevant documents with a lower processing time than the state-of-the-art retrieval baseline (PLAID) it was compared to.

Google Confirms That They Use MUVERA

José Manuel Morgal (LinkedIn profile) related his question to Google’s Gary Illyes and his response was to jokingly ask what MUVERA was and then he confirmed that they use a version of it:

This is how the question and answer was described by José:

“An article has been published in Google Research about MUVERA and there is an associated paper. Is it currently in production in Search?

His response was to ask me what MUVERA was haha and then he commented that they use something similar to MUVERA but they don’t name it like that.”

Does Google Use Graph Foundation Models (GFMs)?

Google recently published a blog announcement about an AI breakthrough called a Graph Foundation Model.

Google’s Graph Foundation Model (GFM) is a type of AI that learns from relational databases by turning them into graphs, where rows become nodes and the connections between tables become edges.

Unlike older models (machine learning models and graph neural networks (GNNs)) that only work on one dataset, GFMs can handle new databases with different structures and features without retraining on the new data. GFMs use a large AI model to learn how data points relate across tables. This lets GFMs find patterns that regular models miss, and they perform much better in tasks like detecting spam in Google’s scaled systems. GFMs are a big step forward because they bring foundation-model flexibility to complex structured data.

Graph Foundation Models represent a notable achievement because their improvements are not incremental. They are an order-of-magnitude improvement, with performance gains of 3x to 40x in average precision.

José next asked Illyes if Google uses Graph Foundation Models and Gary again jokingly feigned not knowing what José was talking about.

He related the question and answer:

“An article has been published in Google Research about Graph Foundation Models for data, this time there are not paper associated with it. Is it currently in production in Search?

His answer was the same as before, asking me what Graph Foundation Models for data was, and he thought it was not in production. He did not know because there are not associated paper and on the other hand, he commented me that he did not control what is published in Google Research blog.”

Gary expressed his opinion that Graph Foundation Model was not currently used in Search. At this point, that’s the best information we have.

Is GFM Ready For Scaled Deployment?

The official Graph Foundation Model announcement says it was tested in an internal task, spam detection in ads, which strongly suggests that real internal systems and data were used, not just academic benchmarks or simulations.

Here is what Google’s announcement relates:

“Operating at Google scale means processing graphs of billions of nodes and edges where our JAX environment and scalable TPU infrastructure particularly shines. Such data volumes are amenable for training generalist models, so we probed our GFM on several internal classification tasks like spam detection in ads, which involves dozens of large and connected relational tables. Typical tabular baselines, albeit scalable, do not consider connections between rows of different tables, and therefore miss context that might be useful for accurate predictions. Our experiments vividly demonstrate that gap.”

Takeaways

Google’s Gary Illyes confirmed that a form of MUVERA is in use at Google. His answer about GFM seemed to be expressed as an opinion, so it’s somewhat less clear, as it’s related as Gary saying that he thinks it’s not in production.

Featured Image by Shutterstock/Krakenimages.com

Ecommerce MGMT 0 Comments
Aug 1 2025
Chrome Trial Aims To Fix Core Web Vitals For JavaScript-Heavy Sites via @sejournal, @MattGSouthern

Google Chrome is testing a new way to measure Core Web Vitals in Single Page Applications (SPAs), which is a long-standing blind spot in performance tracking that affects SEO audits and ranking signals.

Starting with Chrome 139, developers can opt into an origin trial for the Soft Navigations API. This enables measurement of metrics like LCP, CLS, and INP even when a page updates content without a full reload.

Why This Matters For SEO

SPAs are popular for speed and interactivity, but they’ve been notoriously difficult to monitor using tools like Lighthouse, field data in CrUX, or real user monitoring scripts.

That’s because SPAs often update the page using JavaScript without triggering a traditional navigation. As a result, Google’s measurement systems and most performance tools miss those updates when calculating Core Web Vitals.

This new API aims to close that gap, giving you a clearer picture of how your site performs in the real world, especially after a user clicks or navigates within an app-like interface.

What The New API Does

Chrome’s Soft Navigations API uses built-in heuristics to detect when a soft navigation happens. For example:

  • A user clicks a link
  • The page URL updates
  • The DOM visibly changes and triggers a paint

When these conditions are met, Chrome now treats it as a navigation event for performance measurement, even though no full page load occurred.

The API introduces new metrics and enhancements, including:

  • interaction-contentful-paint – lets you measure Largest Contentful Paint after a soft navigation
  • navigationId – added to performance entries so metrics can be tied to specific navigations (crucial when URLs change mid-interaction)
  • Extensions to layout shift, event timing, and INP to work across soft navigations

How To Try It

You can test this feature today in Chrome 139 using either:

  • Local testing: Enable chrome://flags/#soft-navigation-heuristics
  • Origin trial: Add a token to your site via meta tag or HTTP header to collect real user data

Chrome recommends enabling the “Advanced Paint Attribution” flag for the most complete data.

Things To Keep In Mind

Chrome’s Barry Pollard, who leads this initiative, emphasizes the API is still experimental:

“Wanna measure Core Web Vitals for for SPAs?

Well we’ve been working on the Soft Navigations API for that and we’re launching a new origin trial from Chrome 139.

Take it for a run on your app, and see if it correctly detects soft navigations on your application and let us know if it doesn’t!”

Here’s what else you should know:

  • Metrics may not be supported in older Chrome versions or other browsers
  • Your RUM provider may need to support navigationId and interaction-contentful-paintfor tracking
  • Some edge cases, like automatic redirects or replaceState() usage, may not register as navigations

Looking Ahead

This trial is a step toward making Core Web Vitals more accurate for modern JavaScript-heavy websites.

While the API isn’t yet integrated into Chrome’s public performance reports like CrUX, that could change if the trial proves successful.

If your site relies on React, Vue, Angular, or other SPA frameworks, now’s your chance to test how well Chrome’s new approach captures user experience.

Featured Image: Roman Samborskyi/Shutterstock

Ecommerce MGMT 0 Comments
Aug 1 2025
2025 Core Web Vitals Challenge: WordPress Versus Everyone via @sejournal, @martinibuster

The Core Web Vitals Technology Report shows the top-ranked content management systems by Core Web Vitals (CWV) for the month of June (July’s statistics aren’t out yet). The breakout star this year is an e-commerce platform, which is notable because shopping sites generally have poor performance due to the heavy JavaScript and image loads necessary to provide shopping features.

This comparison also looks at the Interaction to Next Paint (INP) scores because they don’t mirror the CWV scores. INP measures how quickly a website responds visually after a user interacts with it. The phrase “next paint” refers to the moment the browser visually updates the page in response to a user’s interaction.

A poor INP score can mean that users will be frustrated with the site because it’s perceived as unresponsive. A good INP score correlates with a better user experience because of how quickly the website performs.

Core Web Vitals Technology Report

The HTTP Archive Technology Report combines two public datasets:

  1. Chrome UX Report (CrUX)
  2. HTTP Archive

1. Chrome UX Report (CrUX)
CrUX obtains its data from Chrome users who opt into providing usage statistics reporting as they browse over 8 million websites. This data includes performance on Core Web Vitals metrics and is aggregated into monthly datasets.

2. HTTP Archive
HTTP Archive obtains its data from lab tests by tools like WebPageTest and Lighthouse that analyze how pages are built and whether they follow performance best practices. Together, these datasets show how websites perform and what technologies they use.

The CWV Technology Report combines data from HTTP Archive (which tracks websites through lab-based crawling and testing) and CrUX (which collects real-user performance data from Chrome users), and that’s where the Core Web Vitals performance data of content management systems comes from.

#1 Ranked Core Web Vitals (CWV) Performer

The top-performing content management system is Duda. A remarkable 83.63% of websites on the Duda platform received a good CWV score. Duda has consistently ranked #1, and this month continues that trend.

For Interaction to Next Paint scores, Duda ranks in the second position.

#2 Ranked CWV CMS: Shopify

The next position is occupied by Shopify. 75.22% of Shopify websites received a good CWV score.

This is extraordinary because shopping sites are typically burdened with excessive JavaScript to power features like product filters, sliders, image effects, and other tools that shoppers rely on to make their choices. Shopify, however, appears to have largely solved those issues and is outperforming other platforms, like Wix and WordPress.

In terms of INP, Shopify is ranked #3, at the upper end of the rankings.

#3 Ranked CMS For CWV: Wix

Wix comes in third place, just behind Shopify. 70.76% of Wix websites received a good CWV score. In terms of INP scores, 86.82% of Wix sites received a good INP score. That puts them in fourth place for INP.

#4 Ranked CMS: Squarespace

67.66% of Squarespace sites had a good CWV score, putting them in fourth place for CWV, just a few percentage points behind the No. 3 ranked Wix.

That said, Squarespace ranks No. 1 for INP, with a total of 95.85% of Squarespace sites achieving a good INP score. That’s a big deal because INP is a strong indicator of a good user experience.

#5 Ranked CMS: Drupal

59.07% of sites on the Drupal platform had a good CWV score. That’s more than half of sites, considerably lower than Duda’s 83.63% score but higher than WordPress’s score.

But when it comes to the INP score, Drupal ranks last, with only 85.5% of sites scoring a good INP score.

#6 Ranked CMS: WordPress

Only 43.44% of WordPress sites had a good CWV score. That’s over fifteen percentage points lower than fifth-ranked Drupal. So WordPress isn’t just last in terms of CWV performance; it’s last by a wide margin.

WordPress performance hasn’t been getting better this year either. It started 2025 at 42.58%, then went up a few points in April to 44.93%, then fell back to 43.44%, finishing June at less than one percentage point higher than where it started the year.

WordPress is in fifth place for INP scores, with 85.89% of WordPress sites achieving a good INP score, just 0.39 points above Drupal, which is in last place.

But that’s not the whole story about the WordPress INP scores. WordPress started the year with a score of 86.05% and ended June with a slightly lower score.

INP Rankings By CMS

Here are the rankings for INP, with the percentage of sites exhibiting a good INP score next to the CMS name:

  1. Squarespace 95.85%
  2. Duda 93.35%
  3. Shopify 89.07%
  4. Wix 86.82%
  5. WordPress 85.89%
  6. Drupal 85.5%

As you can see, positions 3–6 are all bunched together in the eighty percent range, with only a 3.57 percentage point difference between the last-placed Drupal and the third-ranked Shopify. So, clearly, all the content management systems deserve a trophy for INP scores. Those are decent scores, especially for Shopify, which earned a second-place ranking for CWV and third place for INP.

Takeaways

  • Duda Is #1
    Duda leads in Core Web Vitals (CWV) performance, with 83.63% of sites scoring well, maintaining its top position.
  • Shopify Is A Strong Performer
    Shopify ranks #2 for CWV, a surprising performance given the complexity of e-commerce platforms, and scores well for INP.
  • Squarespace #1 For User Experience
    Squarespace ranks #1 for INP, with 95.85% of its sites showing good responsiveness, indicating an excellent user experience.
  • WordPress Performance Scores Are Stagnant
    WordPress lags far behind, with only 43.44% of sites passing CWV and no signs of positive momentum.
  • Drupal Also Lags
    Drupal ranks last in INP and fifth in CWV, with over half its sites passing but still underperforming against most competitors.
  • INP Scores Are Generally High Across All CMSs
    Overall INP scores are close among the bottom four platforms, suggesting that INP scores are relatively high across all content management systems.

Find the Looker Studio rankings for here (must be logged into a Google account to view).

Featured Image by Shutterstock/Krakenimages.com

Ecommerce MGMT 0 Comments
Aug 1 2025
OpenAI Is Pulling Shared ChatGPT Chats From Google Search via @sejournal, @MattGSouthern

OpenAI has rolled back a feature that allowed ChatGPT conversations shared via link to appear in Google Search results.

The company confirms it has disabled the toggle that enabled shared chats to be “discoverable” by search engines and is working to remove existing indexed links.

Shared Chats Were “Short-Lived Experiment”

When users shared a ChatGPT conversation using the platform’s built-in “Share” button, they were given the option to make the chat visible in search engines.

That feature, introduced quietly earlier this year, caused concern after thousands of personal chats started showing up in search results.

Fast Company first reported the issue, finding over 4,500 shared ChatGPT links indexed by Google, some containing personally identifiable information such as names, resumes, emotional reflections, and confidential work content.

In a statement, OpenAI confirms:

“We just removed a feature from [ChatGPT] that allowed users to make their conversations discoverable by search engines, such as Google. This was a short-lived experiment to help people discover useful conversations. This feature required users to opt-in, first by picking a chat to share, then by clicking a checkbox for it to be shared with search engines (see below).

Ultimately we think this feature introduced too many opportunities for folks to accidentally share things they didn’t intend to, so we’re removing the option. We’re also working to remove indexed content from the relevant search engines. This change is rolling out to all users through tomorrow morning.

Security and privacy are paramount for us, and we’ll keep working to maximally reflect that in our products and features.”

How the Feature Worked

By default, shared ChatGPT links were accessible only to people with the URL. But users could choose to toggle on discoverability, allowing search engines like Google to index the conversation.

That setting has now been removed, and previously shared chats will no longer be indexed going forward. However, OpenAI cautions that already-indexed content may still appear in search results temporarily due to caching.

Importantly, deleting a conversation from your ChatGPT history does not delete the public share link or remove it from search engines.

Why It Matters

The discoverability toggle was intended to encourage people to reuse outputs generated in ChatGPT, but the company acknowledges it came with unintended privacy tradeoffs.

Even though OpenAI offered explicit controls over visibility, many people may not have understood the implications of enabling search indexing.

This is a reminder to be cautious about what kinds of information you enter into AI chatbots. Although a chat starts out private, features like sharing, logging, or model training can create paths for that content to be exposed publicly.

Looking Ahead

OpenAI says it’s working with Google and other search engines to remove indexed shared links and is reassessing how public sharing features are handled in ChatGPT.

If you’ve shared a ChatGPT conversation in the past, you can check your visibility settings and delete shared links through the ChatGPT Shared Links dashboard.

Featured Image: Mehaniq/Shutterstock

Ecommerce MGMT 0 Comments
Jul 31 2025
Google URL Removal Bug Enabled Attackers To Deindex URLs via @sejournal, @martinibuster

Google recently fixed a bug that enabled anyone to anonymously use an official Google tool to remove any URL from Google search and get away with it. The tool had the potential to be used to devastate competitor rankings by removing their URLs completely from Google’s index. The bug was known by Google since 2023 but until now Google hadn’t taken action to fix it.

Tool Exploited For Reputation Management

A report by the Freedom of the Press Foundation recounted the case of a tech CEO who had employed numerous tactics to “censor” negative reporting by a journalist, ranging from legal action to identify the reporter’s sources, an “intimidation campaign” via the San Francisco city attorney and a DMCA takedown request.

Through it all, the reporter and the Freedom of the Press Foundation prevailed in court, and the article at the center of the actions remained online until it began getting removed through abuse of Google’s Remove Outdated Content tool. Restoring the web page with Google Search Console was easy, but the abuse continued. This led to opening a discussion on the Google Search Console Help Community.

The person posted a description of what was happening and asked if there was a way to block abuse of the tool. The post alleged that the attacker was choosing a word that was no longer in the original article and using that as the basis for claiming an article is outdated and should be removed from Google’s search index.

This is what the report on Google’s Help Community explained:

“We have a dozen articles that got removed this way. We can measure it by searching Google for the article, using the headline in quotes and with the site name. It shows no results returned.

Then, we go to GSC and find it has been “APPROVED” under outdated content removal. We cancel that request. Moments later, the SAME search brings up an indexed article. This is the 5th time we’ve seen this happen.”

Four Hundred Articles Deindexed

What was happening was an aggressive attack against a website, and Google apparently was unable to do anything to stop the abuse, leaving the user in a very bad position.

In a follow-up post, they explained the devastating effect of the sustained negative SEO attack:

“Every week, dozens of pages are being deindexed and we have to check the GSC every day to see if anything else got removed, and then restore that.

We’ve had over 400 articles deindexed, and all of the articles were still live and on our sites. Someone went in and submitted them through the public removal tool, and they got deindexed.”

Google Promised To Look Into It

They asked if there was a way to block the attacks, and Google’s Danny Sullivan responded:

“Thank you — and again, the pages where you see the removal happening, there’s no blocking mechanism on them.”

Danny responded to a follow-up post, saying that they would look into it:

“The tool is designed to remove links that are no longer live or snippets that are no longer reflecting live content. We’ll look into this further.”

How Google’s Tool Was Exploited

The initial report said that the negative SEO attack was leveraging changed words within the content to file a successful outdated content removal. But it appears that they later discovered that another attack method was being used.

Google’s Outdated Content Removal tool is case-sensitive, which means that if you submit a URL containing an uppercase letter, the crawler will go out to specifically check for the uppercase version, and if the server returns a 404 Not Found error response, Google will remove all versions of the URL.

The Freedom of the Press Foundation writes that the tool is case insensitive, but that’s not entirely correct because if it were insensitive, the case wouldn’t matter. But the case does matter, which means that it is case sensitive.

By the way, the victim of the attack could have created a workaround by rewriting all requests for uppercase URLs to lowercase and enforcing lowercase URLs across the entire website.

That’s the flaw the attacker exploited. So, while the tool was case sensitive, at some point in the system Google’s removal system is case agnostic, which resulted in the correct URL being removed.

Here’s how the Freedom of the Press Foundation described it:

“Our article… was vanished from Google search using a novel maneuver that apparently hasn’t been publicly well documented before: a sustained and coordinated abuse of Google’s “Refresh Outdated Content” tool.

This tool is supposed to allow those who are not a site’s owner to request the removal from search results of web pages that are no longer live (returning a “404 error”), or to request an update in search of web pages that display outdated or obsolete information in returned results.

However, a malicious actor could, until recently, disappear a legitimate article by submitting a removal request for a URL that resembled the target article but led to a “404 error.” By altering the capitalization of a URL slug, a malicious actor apparently could take advantage of a case-insensitivity bug in Google’s automated system of content removal.”

Other Sites Affected By Thes Exploit

Google responded to the Freedom of the Press Foundation and admitted that this exploit did, in fact, affect other sites.

They are quoted as saying the issue only impacted a “tiny fraction of websites” and that the wrongly impacted sites were reinstated.

Google responded by email to note that this bug has been fixed.

Ecommerce MGMT 0 Comments
Jul 31 2025
Reddit Prioritizes Search, Sees 5X Growth in AI-Powered Answers via @sejournal, @MattGSouthern

Reddit is investing heavily in search, with CEO Steve Huffman announcing plans to position the platform as a destination for people seeking answers online.

In its Q2 shareholder letter, Reddit revealed that more than 70 million people now use its on-platform search each week.

Its AI-powered Reddit Answers feature is also gaining traction, reaching 6 million weekly users, up five times from the previous quarter.

Search Becomes a Strategic Priority

Reddit is now focusing on three key areas: improving the core product, growing its search presence, and expanding internationally.

As part of this shift, the company is scaling back work on its user economy initiatives.

Huffman stated:

“Reddit is one of the few platforms positioned to become a true search destination. We offer something special: a breadth of conversations and knowledge you can’t find anywhere else.”

The company plans to integrate Reddit Answers more deeply into its search experience, expand the feature to more markets, and launch marketing efforts to grow adoption globally.

Reddit Answers Gains Momentum

Reddit Answers, introduced earlier this year, uses the platform’s archive of human discussions to generate relevant responses to search queries.

It now has 6 million weekly active users and is available in the U.S., U.K., Canada, Australia, and India.

Integration with Reddit’s primary search experience is also being tested to make discovery more seamless.

Why This Matters

Reddit’s focus on search may offer new visibility opportunities. Its posts already rank well in Google results, now its internal search tools are being enhanced to surface answers directly.

Reddit also emphasizes its commercial value. The company says 40% of posts demonstrate purchase intent, making it a destination for people researching products and services.

Looking Ahead

As AI-generated content becomes more widespread, Reddit is betting that human perspectives will remain valuable.

The company expects Q3 revenue between $535 million and $545 million, with deeper integration of Reddit Answers planned as it continues to build out its search capabilities.

Featured Image: PJ McDonnell/Shutterstock

Ecommerce MGMT 0 Comments
Jul 31 2025
Bing Recommends lastmod Tags For AI Search Indexing via @sejournal, @MattGSouthern

Bing has updated its sitemap guidance with a renewed focus on the lastmod tag, highlighting its role in AI-powered search to determine which pages need to be recrawled.

While real-time tools like IndexNow offer faster updates, Bing says accurate lastmod values help keep content discoverable, especially on frequently updated or large-scale sites.

Bing Prioritizes lastmod For Recrawling

Bing says the lastmod field in your sitemap is a top signal for AI-driven indexing. It helps determine whether a page needs to be recrawled or can be skipped.

To make it work effectively, use ISO 8601 format with both date and time (e.g. 2004-10-01T18:23:17+00:00). That level of precision helps Bing prioritize crawl activity based on actual content changes.

Avoid setting lastmod to the time your sitemap was generated, unless the page was truly updated.

Bing also confirmed that changefreq and priority tags are ignored and no longer affect crawling or ranking.

Submission & Verification Tips

Bing recommends submitting your sitemap in one of two ways:

  • Reference it in your robots.txt file
  • Submit it via Bing Webmaster Tools

Once submitted, Bing fetches the sitemap immediately and rechecks it daily.

You can verify whether it’s working by checking the submission status, last read date, and any processing errors in Bing Webmaster Tools.

Combine With IndexNow For Better Coverage

To increase the chances of timely indexing, Bing suggests combining sitemaps with IndexNow.

While sitemaps give Bing a full picture of your site, IndexNow allows real-time URL-level updates—useful when content changes frequently.

The Bing team states:

“By combining sitemaps for comprehensive site coverage with IndexNow for fast, URL-level submission, you provide the strongest foundation for keeping your content fresh, discoverable, and visible.”

Sitemaps at Massive Scale

If you manage a large website, Bing’s sitemap capacity limits are worth your attention:

  • Up to 50,000 URLs per sitemap
  • 50,000 sitemaps per index file
  • 2.5 billion URLs per index
  • Multiple index files support indexing up to 2.5 trillion URLs

That makes the standard sitemap protocol scalable enough even for enterprise-level ecommerce or publishing platforms.

Fabrice Canel and Krishna Madhavan of Microsoft AI, Bing, noted that using these limits to their full extent helps ensure content remains discoverable in AI search.

Why This Matters

As search becomes more AI-driven, accurate crawl signals matter more.

Bing’s reliance on sitemaps, especially the lastmod field, shows that basic technical SEO practices still matter, even as AI reshapes how content is surfaced.

For large sites, Bing’s support for trillions of URLs offers scalability. For everyone else, the message is simpler: keep your sitemaps clean, accurate, and updated in real-time. This gives your content the best shot at visibility in AI search.

Featured Image: PJ McDonnell/Shutterstock

Ecommerce MGMT 0 Comments
Jul 31 2025
Vulnerability Uncovered In Wix Vibe Coding Platform via @sejournal, @martinibuster

Cloud security company Wiz discovered a critical flaw in Wix’s Base44 vibe coding platform that enabled attackers to bypass authentication and gain access to private enterprise applications. The relative simplicity of finding what should have been a secret app ID number, and using it to gain access, made the vulnerability a serious concern.

Exposed Sensitive Identification Number

An apparently randomly generated identification number, called an app_id, was embedded in public-facing paths such as the application URL and the manifest.json file. Attackers could use that data to generate a verified account, even when user registration was disabled. This bypassed the platform’s access controls, including Single Sign-On (SSO), which many organizations use for enterprise security.

The Wiz security report notes how easy it was to find the sensitive app_id numbers:

“When we navigate to any application developed on top of Base44, the app_id is immediately visible in the URI and manifest.json file path, all applications have their app_ids value hardcoded in their manifest path: manifests/{app_id}/manifest.json.”

Creating A Rogue Account Was Relatively Trivial

The vulnerability did not require privileged access or deep technical expertise. Once an attacker identified a valid app_id, they could use tools like the open source Swagger-UI to register a new account, receive a one-time password (OTP) via email, and verify the account without restriction.

From there, logging in through the application’s SSO flow granted full access to internal systems, despite the original access being restricted to specific users or teams. This process exposed a serious flaw in the platform’s assumption that the app_id would not be tampered with or reused externally.

Authentication Flaw Risked Exposure of Sensitive Data

Many of the affected apps were built using the popular Base44 vibe coding platform for internal use, supporting operations such as HR, chatbots, and knowledge bases. These systems contained personally identifiable information (PII) and were used for HR operations. The exploit enabled attackers to bypass identity controls and access private enterprise applications, potentially exposing sensitive data.

Wix Fixes Flaw Within 24 Hours

The cloud security company discovered the flaw by using a methodical process of examining public information for potential weak points, eventually culminating in finding the exposed app_id numbers, and from there creating the workflow for generating access to accounts. They next contacted Wix, which immediately fixed the issue.

According to the report published by the security company, there is no evidence that the flaw was exploited, and the vulnerability has been fully addressed.

Threat To Entire Ecosystems

The Wiz security report noted that the practice of vibe coding is proceeding at a rapid pace and with not enough time to address potential security issues, expressing the opinion that it creates “systemic risks” not just to individual apps but to “entire ecosystems.”

Why Did This Security Incident Happen?

Wix States It Is Proactive On Security

The report published a statement from Wix that states that they are proactive about security:

“We continue to invest heavily in strengthening the security of all products and potential vulnerabilities are proactively managed. We remain committed to protecting our users and their data.”

Security Company Says Discovery Of Flaw Was Simple

The report by Wiz describes the discovery as a relatively simple matter, explaining that they used “straightforward reconnaissance techniques,” including “passive and active discovery of subdomains,” which are widely accessible methods.

The security report explained that exploiting the flaw was simple:

“What made this vulnerability particularly concerning was its simplicity – requiring only basic API knowledge to exploit. This low barrier to entry meant that attackers could systematically compromise multiple applications across the platform with minimal technical sophistication.”

The existence of that report, in itself, raises the concern that if discovering the issue was “straightforward” and exploiting it had a “low barrier to entry,” how is it that Wix was proactive and yet this was not discovered?

  • If they had used a third-party security testing company, why hadn’t they discovered the publicly available app_id numbers?
  • The manifest.json exposure is trivial to detect. Why hadn’t that been flagged by a security audit?

The contradiction between a simple discovery/exploit process and Wix’s claimed proactive security posture raises a reasonable doubt about the thoroughness or effectiveness of their proactive measures.

Takeaways:

  • Simple Discovery and Exploitation:
    The vulnerability could be found and exploited using basic tools and publicly available information, with no need for advanced skills or insider access.
  • Bypassing Enterprise Controls:
    Attackers could gain full access to internal apps despite controls like disabled registration and SSO-based identity restrictions.
  • Systemic Risk from Vibe Coding:
    Wiz warns that fast-paced vibe coding platforms may introduce widespread security risks across application ecosystems.
  • Discrepancy Between Claims and Reality:
    The ease of exploitation contrasts with Wix’s claims of proactive security, prompting questions about the thoroughness of their security audits.

Wiz discovered that Wix’s Base44 vibe coding platform exposed a critical vulnerability that could have enabled attackers to bypass authentication and access internal enterprise applications.  The security company that discovered the flaw expressed the opinion that this incident highlights potential risks of insufficient security considerations, which can put entire ecosystems at risk.

Read the original report:

Wiz Research Uncovers Critical Vulnerability in AI Vibe Coding platform Base44 Allowing Unauthorized Access to Private Applications

Featured Image by Shutterstock/mailcaroline

Ecommerce MGMT 0 Comments
Jul 30 2025
WooCommerce Customer Review Plugin Vulnerability Affects 80,000+ Sites via @sejournal, @martinibuster

An advisory was issued about a vulnerability in the Customer Reviews for WooCommerce plugin, which is installed on over 80,000 websites. The plugin enables unauthenticated attackers to launch a stored cross-site scripting attack.

Customer Reviews for WooCommerce Vulnerability

The Customer Reviews for WooCommerce plugin enables users to send customers an email reminder to leave a review and also offers other features designed to increase customer engagement with a brand.

Wordfence issued an advisory about a flaw in the plugin that makes it possible for attackers to inject scripts into web pages that execute whenever a user visits the affected page.

The exploit is due to a failure to “sanitize” inputs and “escape” outputs. Sanitizing inputs in this context is a basic WordPress security measure that checks if uploaded data conforms to expected types and removes dangerous content like scripts. Output escaping is another security measure that ensures any special characters produced by the plugin aren’t executable.

According to the official Wordfence advisory:

“The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Users of the plugin are advised to update to version 5.81.0 or newer version.

Featured Image by Shutterstock/Brilliant Eye

Ecommerce MGMT 0 Comments
Jul 30 2025
Query Fan-Out Technique in AI Mode: New Details From Google via @sejournal, @MattGSouthern

In a recent interview, Google’s VP of Product for Search, Robby Stein, shared new information about how query fan-out works in AI Mode.

Although the existence of query fan-out has been previously detailed in Google’s blog posts, Stein’s comments expand on its mechanics and offer examples that clarify how it works in practice.

Background On Query Fan-Out Technique

When a person types a question into Google’s AI Mode, the system uses a large language model to interpret the query and then “fan out” multiple related searches.

These searches are issued to Google’s infrastructure and may include topics the user never explicitly mentioned.

Stein said during the interview:

“If you’re asking a question like things to do in Nashville with a group, it may think of a bunch of questions like great restaurants, great bars, things to do if you have kids, and it’ll start Googling basically.”

He described the system as using Google Search as a backend tool, executing multiple queries and combining the results into a single response with links.

This functionality is active in AI Mode, Deep Search, and some AI Overview experiences.

Scale And Scope

Stein said AI-powered search experiences, including query fan-out, now serve approximately 1.5 billion users each month. This includes both text-based and multimodal input.

The underlying data sources include traditional web results as well as real-time systems like Google’s Shopping Graph, which updates 2 billion times per hour.

He referred to Google Search as “the largest AI product in the world.”

Deep Search Behavior

In cases where Google’s systems determine a query requires deeper reasoning, a feature called Deep Search may be triggered.

Deep Search can issue dozens or even hundreds of background queries and may take several minutes to complete.

Stein described using it to research home safes, a purchase he said involved unfamiliar factors like fire resistance ratings and insurance implications.

He explained:

“It spent, I don’t know, like a few minutes looking up information and it gave me this incredible response. Here are how the ratings would work and here are specific safes you can consider and here’s links and reviews to click on to dig deeper.”

AI Mode’s Use Of Internal Tools

Stein mentioned that AI Mode has access to internal Google tools, such as Google Finance and other structured data systems.

For example, a stock comparison query might involve identifying relevant companies, pulling current market data, and generating a chart.

Similar processes apply to shopping, restaurant recommendations, and other query types that rely on real-time information.

Stein stated:

“We’ve integrated most of the real-time information systems that are within Google… So it can make Google Finance calls, for instance, flight data… movie information… There’s 50 billion products in the shopping catalog… updated I think 2 billion times every hour or so. So all that information is able to be used by these models now.”

Technical Similarities To Google’s Patent

Stein described a process similar to a Google patent from December about “thematic search.”

The patent outlines a system that creates sub-queries based on inferred themes, groups results by topic, and generates summaries using a language model. Each theme can link to source pages, but summaries are compiled from multiple documents.

This approach differs from traditional search ranking by organizing content around inferred topics rather than specific keywords. While the patent doesn’t confirm implementation, it closely matches Stein’s description of how AI Mode functions.

Looking Ahead

With Google explaining how AI Mode generates its own searches, the boundaries of what counts as a “query” are starting to blur.

This creates challenges not just for optimization, but for attribution and measurement.

As search behavior becomes more fragmented and AI-driven, marketers may need to focus less on ranking for individual terms and more on being included in the broader context AI pulls from.

Listen to the full interview below:

Featured Image: Screenshot from youtube.com/@GoogleDevelopers, July 2025. 

Ecommerce MGMT 0 Comments