Latest Updates and Insights on WordPress Security


Critical GiveWP Flaw Puts 100k WordPress Sites at Risk

01 October 2024
The flaw allows attackers to execute code remotely by injecting a malicious PHP object due to improper handling of input during deserialization. This flaw is similar to CVE-2024-5932 but bypasses certain checks, making it even more dangerous.

WP Engine Reprieve

27 September 2024
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin directory, theme directory, and Openverse work on their sites. It saddens me that they’ve been negatively impacted by Silver Lake‘s commercial decisions. On WP Engine’s homepage, they promise “Unmatched performance, automated updates, and bulletproof security […]

Critical Flaws Discovered in Jupiter X Core WordPress Plugin Affecting Over 90,000 Sites

27 September 2024
Security researchers have found critical flaws in the Jupiter X Core WordPress plugin, affecting over 90,000 websites. The vulnerabilities could allow attackers to take control of websites or hijack user accounts, including admin accounts.

Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin

26 September 2024
A critical SQL injection vulnerability has been discovered in The Events Calendar WordPress plugin (CVE-2024-8275), affecting all versions up to 6. 6. 4. The vulnerability has a CVSS score of 9. 8, indicating a high level of severity.

WP Engine is banned from WordPress.org

25 September 2024
Pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org's resources.

WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites

23 September 2024
Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. CVE-2024-22303 […] The post WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites appeared first on Cyber Security News.

WordPress to Require Two-Factor Authentication for Plugin Developers

16 September 2024
WordPress will require two-factor authentication for plugin developers starting October 1, 2024. This mandate will also apply to theme authors. The organization aims to enhance security by preventing hijacked accounts from spreading malicious code.

WordPress To Mandate 2FA for Theme And Plugin Developers

12 September 2024
Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure. Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access.  To stop illegal access and preserve the security and confidence of […] The post WordPress To Mandate 2FA for Theme And Plugin Developers appeared first on Cyber Security News.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

12 September 2024
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the

New Stealthy Malware Campaign Dubbed DarkCracks Exploits GLPI and WordPress Sites

07 September 2024
DarkCracks isn’t your typical malware campaign—it’s a sophisticated Launcher designed for long-term exploitation. It deploys malicious payloads through public websites, like school portals and booking systems, to infect unsuspecting users.

Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress

06 September 2024
Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts. The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.  "The plugin suffers from an

Litespeed Cache Flaw Exposes Millions of WordPress Sites to Takeover Attacks

05 September 2024
Discovered by security researcher Rafie Muhammad, the flaw allows unauthorized users to take control of logged-in accounts, potentially gaining administrator privileges on WordPress sites.

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

28 August 2024
A critical security flaw has been disclosed in the WPML WordPress multilingual plugin that could allow authenticated users to execute arbitrary code remotely under certain circumstances. The vulnerability, tracked as CVE-2024-6386 (CVSS score: 9.9), impacts all versions of the plugin before 4.6.13, which was released on August 20, 2024. Arising due to missing input validation and sanitization,

WordPress Plugin Flaw Exposes 1,000,000 WordPress Sites to Remote Code Attacks

27 August 2024
A vulnerability in the WPML (WordPress Multilingual) plugin has put over a million WordPress sites at risk of remote code execution (RCE) attacks. This flaw allows authenticated users with contributor-level access or higher to execute arbitrary code on the server, potentially leading to a complete site takeover. The vulnerability, identified as CVE-2024-6386, affects all versions […] The post WordPress Plugin Flaw Exposes 1,000,000 WordPress Sites to Remote Code Attacks appeared first on Cyber Security News.

Critical SSTI Flaw in WPML Plugin Exposes Millions of WordPress Sites to RCE Attacks

27 August 2024
This vulnerability allows authorized users to inject and execute malicious code through the plugin's shortcode feature, potentially leading to data theft and website takeover.

WordPress Websites Used to Distribute ClearFake Trojan Malware

26 August 2024
WordPress websites were found distributing the ClearFake Trojan malware, a dangerous threat that can lead to ransomware infections. The malware was disguised as a prompt to install a root certificate.

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

22 August 2024
Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges. "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and

Over 10,000 WordPress Sites at Risk: Critical File Deletion Flaw Found in InPost Plugins

21 August 2024
The vulnerability, known as CVE-2024-6500, affects the InPost PL and InPost for WooCommerce plugins, allowing attackers to read and delete sensitive files like the wp-config.php configuration file.

GiveWP WordPress Plugin Vulnerability Puts 100,000+ Websites at Risk

21 August 2024
A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks. The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164,

Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites

20 August 2024
A severe security flaw has been discovered in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The vulnerability, classified as an unauthenticated PHP Object Injection leading to Remote Code Execution (RCE), was responsibly reported through the Wordfence Bug Bounty Program on May 26th, 2024. The critical vulnerability, assigned CVE-2024-5932 with a CVSS […] The post Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites appeared first on Cyber Security News.