Latest Updates and Insights on WordPress Security
12 December 2024
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.
The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.
"This flaw poses a significant security risk, as it
05 December 2024
A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers. The flaw, identified as CVE-2024-10178, allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget. While this vulnerability affects […]
The post WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts appeared first on Cyber Security News.
26 November 2024
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution.
The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions
26 November 2024
A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations. This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites. Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” […]
The post WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking appeared first on Cyber Security News.
17 November 2024
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The
15 November 2024
A critical security flaw in one of WordPress’s most popular plugins has left over 4 million websites vulnerable to potential hacking attempts. The Really Simple Security plugin, formerly known as Really Simple SSL, contains an authentication bypass vulnerability that could allow attackers to gain full administrative access to affected sites. The vulnerability, discovered by the […]
The post WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers appeared first on Cyber Security News.
31 October 2024
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.
"The plugin suffers from an unauthenticated privilege escalation vulnerability
15 October 2024
The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million
12 October 2024
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem. On October 3rd, the ACF team announced […]
04 October 2024
A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.
It was
01 October 2024
The flaw allows attackers to execute code remotely by injecting a malicious PHP object due to improper handling of input during deserialization. This flaw is similar to CVE-2024-5932 but bypasses certain checks, making it even more dangerous.
27 September 2024
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin directory, theme directory, and Openverse work on their sites. It saddens me that they’ve been negatively impacted by Silver Lake‘s commercial decisions. On WP Engine’s homepage, they promise “Unmatched performance, automated updates, and bulletproof security […]
27 September 2024
Security researchers have found critical flaws in the Jupiter X Core WordPress plugin, affecting over 90,000 websites. The vulnerabilities could allow attackers to take control of websites or hijack user accounts, including admin accounts.
26 September 2024
A critical SQL injection vulnerability has been discovered in The Events Calendar WordPress plugin (CVE-2024-8275), affecting all versions up to 6. 6. 4. The vulnerability has a CVSS score of 9. 8, indicating a high level of severity.
25 September 2024
Pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org's resources.
23 September 2024
Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. CVE-2024-22303 […]
The post WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites appeared first on Cyber Security News.
16 September 2024
WordPress will require two-factor authentication for plugin developers starting October 1, 2024. This mandate will also apply to theme authors. The organization aims to enhance security by preventing hijacked accounts from spreading malicious code.
12 September 2024
Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure. Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access. To stop illegal access and preserve the security and confidence of […]
The post WordPress To Mandate 2FA for Theme And Plugin Developers appeared first on Cyber Security News.
12 September 2024
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the
07 September 2024
DarkCracks isn’t your typical malware campaign—it’s a sophisticated Launcher designed for long-term exploitation. It deploys malicious payloads through public websites, like school portals and booking systems, to infect unsuspecting users.