1. WPScan Online
  2. Latest Updates and Insights on WordPress Security

Latest Updates and Insights on WordPress Security

WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries

24 March 2025
WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries A critical vulnerability in GamiPress, a popular WordPress plugin used for gamification and rewards systems on websites.  The high-impact flaw, categorized as CVE-2024-13496 with a CVSS 3.1 score of 7.5, allowed unauthenticated attackers to inject malicious SQL queries that could potentially compromise entire WordPress installations.  The vulnerability, which affected all GamiPress versions up to 7.3.1, […] The post WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries appeared first on Cyber Security News.

WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks

24 March 2025
WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks A critical vulnerability in WP Ghost, a popular WordPress security plugin with over 200,000 active installations.  The high-severity flaw, tracked as CVE-2025-26909 with a CVSS score of 9.6, allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability that can lead to Remote Code Execution (RCE).  Website administrators are strongly advised to update immediately […] The post WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks appeared first on Cyber Security News.

Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

06 March 2025
Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors. "Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed," c/side researcher Himanshu Anand said in a Wednesday analysis. The malicious JavaScript code has been found to be served via cdn.csyndication[

WordPress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks

05 March 2025
WordPress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks.  The vulnerability, scoring a maximum CVSS 9.8 (Critical) severity rating, originates from improper handling of user-supplied data in the plugin’s donation form processing logic.  Exploiting this flaw allows attackers to […] The post WordPress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks appeared first on Cyber Security News.

90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks

19 February 2025
90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks A severe security flaw in the Jupiter X Core plugin for WordPress exposed over 90,000 websites to Local File Inclusion (LFI) and Remote Code Execution (RCE) attacks.  The vulnerability tracked as CVE-2025-0366 with a CVSS score of 8.8 (High), enables authenticated attackers with contributor-level access to upload malicious SVG files and execute arbitrary code on vulnerable servers. […] The post 90,000 WordPress Sites Vulnerable to Local File Inclusion Attacks appeared first on Cyber Security News.

Hidden Malware in WordPress Websites Allows Attackers to Execute Malicious Code Remotely

17 February 2025
Hidden Malware in WordPress Websites Allows Attackers to Execute Malicious Code Remotely A sophisticated malware campaign has recently been uncovered by security researchers at Sucuri, targeting WordPress websites through hidden malware and backdoors in the mu-plugins directory. This attack chain allows remote execution of malicious code, enabling full server compromise, data theft, and persistent control over infected sites. The/wp-content/mu-plugins/ directory – designed for “must-use” plugins that […] The post Hidden Malware in WordPress Websites Allows Attackers to Execute Malicious Code Remotely appeared first on Cyber Security News.

TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads

31 January 2025
TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads A sophisticated cyber campaign orchestrated by the threat group TAG-124 has compromised over 1,000 WordPress websites to deploy malicious payloads. The operation leverages a multi-layered Traffic Distribution System (TDS) to infect users with malware, demonstrating advanced evasion tactics and infrastructure management. TAG-124’s infrastructure consists of compromised WordPress sites injected with malicious JavaScript to redirect visitors […] The post TAG-124 Hacked 1000+ WordPress Sites To Embed Payloads appeared first on Cyber Security News.

WordPress Real-Estate Plugin Vulnerability Exposes 32k+ Websites To Cyberattack

23 January 2025
WordPress Real-Estate Plugin Vulnerability Exposes 32k+ Websites To Cyberattack A severe security flaw has been discovered in the popular RealHomes WordPress theme and its accompanying plugin, Easy Real Estate, threatening the security of over 23,000 websites.  These vulnerabilities, classified as unauthenticated privilege escalation issues, have been assigned critical severity scores of 9.8 on the CVSS scale and are tracked as CVE-2024-32444 and CVE-2024-32555, respectively. […] The post WordPress Real-Estate Plugin Vulnerability Exposes 32k+ Websites To Cyberattack appeared first on Cyber Security News.

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

13 January 2025
Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS). "This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment

New Skimmer Malware Hijacking WordPress Websites to Steal Credit Cards

10 January 2025
A sophisticated credit card skimmer malware had been found hitting WordPress checkout pages, silently injecting malicious JavaScript into database records to obtain sensitive payment details.  Attackers may utilize existing payment fields or inject a fake credit card form to steal payment information covertly and undetected. Targets WordPress Checkout Pages via Database Injection Sucuri claims that […] The post New Skimmer Malware Hijacking WordPress Websites to Steal Credit Cards appeared first on Cyber Security News.

WordPress Plugin Weaponizes Legit Sites To Steal Customer Payment Data

07 January 2025
PhishWP, a newly discovered WordPress plugin, is being used by cybercriminals to maliciously convert legitimate websites into phishing traps, putting user data at risk. Cybercriminals created the WordPress plugin PhishWP. It generates fake payment pages that closely resemble legitimate providers like Stripe.  Threat actors use it to steal sensitive data, including browser metadata, credit card […] The post WordPress Plugin Weaponizes Legit Sites To Steal Customer Payment Data appeared first on Cyber Security News.

Nearly 400,000 WordPress credentials stolen

18 December 2024
A threat actor labelled as MUT-1244 has stolen more than 390,000 WordPress credentials. 

RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend

17 December 2024
A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML). This flaw, stemming from a Server-Side Template Injection (SSTI) vulnerability in the Twig template engine, allowed attackers to execute arbitrary code on the affected websites. Rated as critical with a CVSS score of 9.9, the vulnerability […] The post RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend appeared first on Cyber Security News.

390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

13 December 2024
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

12 December 2024
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it

WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts

05 December 2024
A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers. The flaw, identified as CVE-2024-10178, allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget. While this vulnerability affects […] The post WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts appeared first on Cyber Security News.

Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks

26 November 2024
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution. The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions

WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking

26 November 2024
A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations. This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites. Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” […] The post WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking appeared first on Cyber Security News.

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

17 November 2024
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The

WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers

15 November 2024
A critical security flaw in one of WordPress’s most popular plugins has left over 4 million websites vulnerable to potential hacking attempts. The Really Simple Security plugin, formerly known as Really Simple SSL, contains an authentication bypass vulnerability that could allow attackers to gain full administrative access to affected sites. The vulnerability, discovered by the […] The post WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers appeared first on Cyber Security News.