Latest Updates and Insights on WordPress Security

---

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis

---

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

---

Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks

A critical security vulnerability in the widely used Avada (Fusion) Builder WordPress plugin has exposed over 1 million websites to arbitrary file-deletion attacks, potentially leading to full-site compromise and remote code execution. The flaw, tracked as CVE-2026-8713 with a CVSS score of 9.1, was discovered by security researcher “daroo” and reported through the Wordfence Bug […] The post Critical WordPress Plugin Vulnerability Exposes 1 Million Sites to File Deletion Attacks appeared first on Cyber Security News.

---

Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites

Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said. "This prevents

---

Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data

Hackers are actively abusing a sensitive information exposure flaw in the Gravity SMTP WordPress plugin, aggressively targeting over 100,000 sites to harvest configuration data and live email credentials. The vulnerability, tracked as CVE‑2026‑4020 and rated 5.3 (Medium), affects all Gravity SMTP versions up to and including 2.1.4 and is now under mass exploitation by distributed […] The post Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data appeared first on Cyber Security News.

---

OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack

A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec discovered an ongoing campaign targeting plugins developed by Awesome Motive, including OptinMonster, TrustPulse, and PushEngage. These plugins […] The post OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack appeared first on Cyber Security News.

---

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker's control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it

---

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was

---

Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, allowing unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable websites. The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread […] The post Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue […] The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cyber Security News.

---

WordPress Malware Abuses Steam Community Profiles for C2 Operations

A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community. Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel. The malware works in two […] The post WordPress Malware Abuses Steam Community Profiles for C2 Operations appeared first on Cyber Security News.

---

WP23

WordPress at 23 is simultaneously both the strongest and most precarious it’s ever been. Last week, we shipped WordPress 7 to the world. In seven days, 46% of all WordPresses, tens of millions across countless different hosting environments, are already on 7.0, auto-updated with no breakage. From a Raspberry Pi to the most secure sites […]

---

1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws

A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files. Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remain unpatched. The issues, discovered by researcher Rafie Muhammad through […] The post 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws appeared first on Cyber Security News.

---

Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks

A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool. Tracked as CVE-2026-8181 with a CVSS score […] The post Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks appeared first on Cyber Security News.

---

WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently

A massive supply chain attack has been uncovered in the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations. Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites. The malicious code bypassed official security checks by leveraging a custom remote update […] The post WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently appeared first on Cyber Security News.

---

Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware

A group of trusted WordPress plugins quietly carried a hidden backdoor for eight full months, and nobody noticed until the damage had already been done. The attack, uncovered in April 2026, did not begin with a dramatic breach. It started with the silent purchase of a legitimate plugin business on a public marketplace, setting the […] The post Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware appeared first on Cyber Security News.

---

Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access

A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. Tracked as CVE-2026-1492, this vulnerability affects the User Registration & Membership plugin for WordPress and lets attackers completely bypass the login process to gain full administrator access — all without needing a username, password, or […] The post Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access appeared first on Cyber Security News.

---

50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability

A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover. Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires immediate attention from website administrators.​ Discovered by security researcher Sélim Lanouar, who […] The post 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability appeared first on Cyber Security News.

---

Hackers Compromised ILSpy WordPress Domain to Deliver Malware

A new supply chain attack targeting developers after threat actors compromised the official WordPress domain for ILSpy on April 6, 2026. Instead of providing the legitimate software, the hijacked website began redirecting visitors to a malicious webpage to deliver malware. Normally, clicking the download button on the ILSpy website sends users directly to the project’s […] The post Hackers Compromised ILSpy WordPress Domain to Deliver Malware appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites

A high-severity security flaw has been disclosed in Smart Slider 3, one of the most widely used WordPress slider builder plugins. With over 800,000 active installations, this vulnerability leaves a massive number of websites exposed to severe data theft. Tracked as CVE-2026-3098, this medium-severity flaw allows attackers with minimal permissions to access and download highly sensitive […] The post WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites appeared first on Cyber Security News.