Latest Updates and Insights on WordPress Security
16 September 2024
WordPress will require two-factor authentication for plugin developers starting October 1, 2024. This mandate will also apply to theme authors. The organization aims to enhance security by preventing hijacked accounts from spreading malicious code.
12 September 2024
Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure. Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access. To stop illegal access and preserve the security and confidence of […]
The post WordPress To Mandate 2FA for Theme And Plugin Developers appeared first on Cyber Security News.
12 September 2024
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the
07 September 2024
DarkCracks isn’t your typical malware campaign—it’s a sophisticated Launcher designed for long-term exploitation. It deploys malicious payloads through public websites, like school portals and booking systems, to infect unsuspecting users.
06 September 2024
Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts.
The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.
"The plugin suffers from an
05 September 2024
Discovered by security researcher Rafie Muhammad, the flaw allows unauthorized users to take control of logged-in accounts, potentially gaining administrator privileges on WordPress sites.
28 August 2024
A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances.
The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024.
Arising due to missing input validation and sanitization,
27 August 2024
A vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress sites at risk of remote code execution (RCE) attacks. This flaw allows authenticated users with contributor-level access or higher to execute arbitrary code on the server, potentially leading to a complete site takeover. The vulnerability, identified as CVE-2024-6386, affects all versions […]
The post WordPress Plugin Flaw Exposes 1,000,000 WordPress Sites to Remote Code Attacks appeared first on Cyber Security News.
27 August 2024
This vulnerability allows authorized users to inject and execute malicious code through the plugin's shortcode feature, potentially leading to data theft and website takeover.
26 August 2024
WordPress websites were found distributing the ClearFake Trojan malware, a dangerous threat that can lead to ransomware infections. The malware was disguised as a prompt to install a root certificate.
22 August 2024
Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.
"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and
21 August 2024
The vulnerability, known as CVE-2024-6500, affects the InPost PL and InPost for WooCommerce plugins, allowing attackers to read and delete sensitive files like the wp-config.php configuration file.
21 August 2024
A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.
The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164,
20 August 2024
A severe security flaw has been discovered in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The vulnerability, classified as an unauthenticated PHP Object Injection leading to Remote Code Execution (RCE), was responsibly reported through the Wordfence Bug Bounty Program on May 26th, 2024. The critical vulnerability, assigned CVE-2024-5932 with a CVSS […]
The post Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites appeared first on Cyber Security News.
16 July 2024
A critical vulnerability has been discovered in the popular Profile Builder and Profile Builder Pro plugins, with over 50,000 active installations. The flaw, identified during a routine audit of various WordPress plugins, allows unauthenticated attackers to escalate their privileges and gain administrative access to targeted sites without possessing account credentials. CVE-2024-6695 – Unauthenticated Privilege Escalation […]
The post WordPress Plugin Flaw Let Attackers Seize Administrative Control appeared first on Cyber Security News.
10 July 2024
Hackers are targeting a vulnerability in the Modern Events Calendar WordPress plugin found on over 150,000 websites to upload files and execute code remotely. The plugin by Webnus is used to manage events.
09 July 2024
A security flaw was discovered in the Modern Events Calendar, a widely used WordPress plugin with over 150,000 active installations. The vulnerability, identified as an Arbitrary File Upload flaw, allows authenticated users, such as subscribers, to upload arbitrary files to a vulnerable site, potentially leading to remote code execution (RCE). CVE-2024-5441 – Discovery and Reporting […]
The post WordPress Calendar Plugin RCE Flaw Exposes 150,000 Sites for Hacking appeared first on Cyber Security News.
26 June 2024
WordPress has released an urgent security update, version 6.5.5, addressing critical vulnerabilities that could potentially compromise the security of millions of websites. This minor release, which also includes three bug fixes in the core, is highly recommended for immediate installation to ensure site security and stability. Key Security Fixes The WordPress 6.5.5 update addresses three […]
The post WordPress Releases Urgent Security Update to Patch XSS and Path Traversal Flaws appeared first on Cyber Security News.
26 June 2024
Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.
A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.
According to Sucuri, the latest campaign entails making malicious modifications to the
25 June 2024
Multiple WordPress plugins have been found to contain a backdoor that injects malicious code. This code allows attackers to create unauthorized administrator accounts, enabling them to perform malicious actions.