Latest Updates and Insights on WordPress Security


WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

12 December 2024
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it

WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts

05 December 2024
A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers. The flaw, identified as CVE-2024-10178, allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget. While this vulnerability affects […] The post WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts appeared first on Cyber Security News.

Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks

26 November 2024
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution. The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions

WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking

26 November 2024
A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations. This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites. Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” […] The post WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking appeared first on Cyber Security News.

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

17 November 2024
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The

WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers

15 November 2024
A critical security flaw in one of WordPress’s most popular plugins has left over 4 million websites vulnerable to potential hacking attempts. The Really Simple Security plugin, formerly known as Really Simple SSL, contains an authentication bypass vulnerability that could allow attackers to gain full administrative access to affected sites. The vulnerability, discovered by the […] The post WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers appeared first on Cyber Security News.

LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

31 October 2024
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. "The plugin suffers from an unauthenticated privilege escalation vulnerability

WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

15 October 2024
The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site. Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million

Secure Custom Fields

12 October 2024
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem. On October 3rd, the ACF team announced […]

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

04 October 2024
A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions. The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2. It was

Critical GiveWP Flaw Puts 100k WordPress Sites at Risk

01 October 2024
The flaw allows attackers to execute code remotely by injecting a malicious PHP object due to improper handling of input during deserialization. This flaw is similar to CVE-2024-5932 but bypasses certain checks, making it even more dangerous.

WP Engine Reprieve

27 September 2024
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin directory, theme directory, and Openverse work on their sites. It saddens me that they’ve been negatively impacted by Silver Lake‘s commercial decisions. On WP Engine’s homepage, they promise “Unmatched performance, automated updates, and bulletproof security […]

Critical Flaws Discovered in Jupiter X Core WordPress Plugin Affecting Over 90,000 Sites

27 September 2024
Security researchers have found critical flaws in the Jupiter X Core WordPress plugin, affecting over 90,000 websites. The vulnerabilities could allow attackers to take control of websites or hijack user accounts, including admin accounts.

Critical SQL Injection Vulnerability Discovered in ‘The Events Calendar’ WordPress Plugin

26 September 2024
A critical SQL injection vulnerability has been discovered in The Events Calendar WordPress plugin (CVE-2024-8275), affecting all versions up to 6. 6. 4. The vulnerability has a CVSS score of 9. 8, indicating a high level of severity.

WP Engine is banned from WordPress.org

25 September 2024
Pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org's resources.

WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites

23 September 2024
Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. CVE-2024-22303 […] The post WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites appeared first on Cyber Security News.

WordPress to Require Two-Factor Authentication for Plugin Developers

16 September 2024
WordPress will require two-factor authentication for plugin developers starting October 1, 2024. This mandate will also apply to theme authors. The organization aims to enhance security by preventing hijacked accounts from spreading malicious code.

WordPress To Mandate 2FA for Theme And Plugin Developers

12 September 2024
Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure. Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access.  To stop illegal access and preserve the security and confidence of […] The post WordPress To Mandate 2FA for Theme And Plugin Developers appeared first on Cyber Security News.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

12 September 2024
WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the

New Stealthy Malware Campaign Dubbed DarkCracks Exploits GLPI and WordPress Sites

07 September 2024
DarkCracks isn’t your typical malware campaign—it’s a sophisticated Launcher designed for long-term exploitation. It deploys malicious payloads through public websites, like school portals and booking systems, to infect unsuspecting users.