Latest Updates and Insights on WordPress Security
Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware
15 April 2026
A group of trusted WordPress plugins quietly carried a hidden backdoor for eight full months, and nobody noticed until the damage had already been done. The attack, uncovered in April 2026, did not begin with a dramatic breach. It started with the silent purchase of a legitimate plugin business on a public marketplace, setting the […]
The post Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware appeared first on Cyber Security News.
Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access
13 April 2026
A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. Tracked as CVE-2026-1492, this vulnerability affects the User Registration & Membership plugin for WordPress and lets attackers completely bypass the login process to gain full administrator access — all without needing a username, password, or […]
The post Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access appeared first on Cyber Security News.
50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability
07 April 2026
A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover. Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires immediate attention from website administrators. Discovered by security researcher Sélim Lanouar, who […]
The post 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability appeared first on Cyber Security News.
Hackers Compromised ILSpy WordPress Domain to Deliver Malware
06 April 2026
A new supply chain attack targeting developers after threat actors compromised the official WordPress domain for ILSpy on April 6, 2026. Instead of providing the legitimate software, the hijacked website began redirecting visitors to a malicious webpage to deliver malware. Normally, clicking the download button on the ILSpy website sends users directly to the project’s […]
The post Hackers Compromised ILSpy WordPress Domain to Deliver Malware appeared first on Cyber Security News.
WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites
31 March 2026
A high-severity security flaw has been disclosed in Smart Slider 3, one of the most widely used WordPress slider builder plugins. With over 800,000 active installations, this vulnerability leaves a massive number of websites exposed to severe data theft. Tracked as CVE-2026-3098, this medium-severity flaw allows attackers with minimal permissions to access and download highly sensitive […]
The post WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites appeared first on Cyber Security News.
WordPress 6.9.2 Release
10 March 2026
WordPress 6.9.2 is now available! This is a security release that features several fixes. Because this is a security release, it is recommended that you update your sites immediately. You can download WordPress 6.9.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic […]
WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts
06 March 2026
A critical security flaw, identified as CVE-2026-1492, has been found in the User Registration & Membership plugin for WordPress. This vulnerability allows unauthenticated attackers to bypass security controls and create administrator accounts, leading to a complete website takeover. The User Registration & Membership plugin helps website owners create custom registration forms and manage user profiles. However, versions up to and including 5.1.2 suffer from a […]
The post WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts appeared first on Cyber Security News.
GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc
23 February 2026
A threat actor known as GrayCharlie has been compromising WordPress websites since mid-2023, silently embedding malicious JavaScript to push malware onto visiting users. The group overlaps with the previously tracked SmartApeSG cluster, also called ZPHP or HANEMONEY. Its main tool is NetSupport RAT, a remote access trojan that gives attackers direct control over infected machines. […]
The post GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc appeared first on Cyber Security News.
WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks
12 February 2026
A critical flaw in the WPvivid Backup & Migration WordPress plugin can let an unauthenticated attacker upload files and run code on the server, a path that often ends in full site takeover. The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available […]
The post WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks appeared first on Cyber Security News.
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
08 December 2025
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.
The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active
WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts
03 December 2025
A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild.
The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration.
It affects versions
Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control
03 December 2025
A critical security flaw in the popular “King Addons for Elementor” WordPress plugin has left thousands of websites at risk of complete takeover, security researchers have warned. The vulnerability, tracked as CVE-2025-8489, allows unauthenticated attackers to register new accounts with full administrator rights by abusing an insecure registration function in the plugin. King Addons for […]
The post Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control appeared first on Cyber Security News.
Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control
03 December 2025
A serious vulnerability has been discovered in the King Addons for Elementor WordPress plugin, affecting more than 10,000 active installations worldwide. The flaw allows unauthenticated attackers to gain full administrative control over WordPress websites by simply registering a new account with administrator privileges. The vulnerability was first reported on July 24th, 2025, and has now […]
The post Critical Elementor Plugin Vulnerability Let Attackers Takeover WordPress Site Admin Control appeared first on Cyber Security News.
W3 Total Cache Command Injection Vulnerability Exposes 1 Million WordPress Sites to RCE Attacks
18 November 2025
A critical command injection vulnerability has been discovered in the W3 Total Cache plugin, one of WordPress’s most popular caching solutions used by approximately 1 million websites. The vulnerability, tracked as CVE-2025-9501 with a CVSS severity score of 9.0 (Critical), allows unauthenticated attackers to execute arbitrary PHP commands directly on vulnerable servers. W3 Total Cache Vulnerability The flaw exists in […]
The post W3 Total Cache Command Injection Vulnerability Exposes 1 Million WordPress Sites to RCE Attacks appeared first on Cyber Security News.
GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites
11 November 2025
The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress.
The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection.
"
AI Engine WordPress Plugin Exposes 100,000 WordPress Sites to Privilege Escalation Attacks
05 November 2025
A critical security vulnerability in the AI Engine WordPress plugin has put more than 100,000 active installations at risk of privilege escalation attacks. The flaw, tracked as CVE-2025-11749 with a CVSS score of 9.8, allows unauthenticated attackers to extract bearer tokens and gain complete administrative control over vulnerable WordPress sites. Security researcher Emiliano Versini discovered […]
The post AI Engine WordPress Plugin Exposes 100,000 WordPress Sites to Privilege Escalation Attacks appeared first on Cyber Security News.
WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks
05 November 2025
A critical security flaw in the WordPress Post SMTP plugin has left more than 400,000 websites vulnerable to account takeover attacks. The vulnerability, identified as CVE-2025-11833, enables unauthenticated attackers to access email logs containing sensitive password reset information, potentially compromising administrator accounts and entire websites. The flaw stems from a missing authorization check in the […]
The post WordPress Post SMTP Plugin Vulnerability Exposes 400,000 Websites to Account Takeover Attacks appeared first on Cyber Security News.
WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack
29 October 2025
A critical cross-site scripting (XSS) vulnerability has been discovered in the popular LiteSpeed Cache plugin for WordPress, affecting millions of websites worldwide. The vulnerability, tracked as CVE-2025-12450, poses a significant risk to site visitors and administrators alike. The LiteSpeed Cache plugin is one of the most widely used performance optimization tools in the WordPress ecosystem, […]
The post WordPress Plugin Vulnerability Exposes 7 Million Sites to XSS Attack appeared first on Cyber Security News.
Hackers Actively Exploiting WordPress Arbitrary Installation Vulnerabilities in The Wild
27 October 2025
Threat actors have launched a significant mass exploitation campaign targeting critical vulnerabilities in two popular WordPress plugins, GutenKit and Hunk Companion, affecting hundreds of thousands of websites globally. These vulnerabilities, discovered in September and October 2024, have resurfaced as an active threat in October 2025, demonstrating the persistent danger of unpatched installations. The attack vectors […]
The post Hackers Actively Exploiting WordPress Arbitrary Installation Vulnerabilities in The Wild appeared first on Cyber Security News.
Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites
16 October 2025
A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems.
"UNC5142 is characterized by its use of compromised WordPress websites and 'EtherHiding,' a technique used