Latest Updates and Insights on WordPress Security

---

Critical WordPress Plugin Vulnerability Exposes 600,000+ Sites to Remote Takeover

A severe arbitrary file deletion vulnerability has been discovered in the popular Forminator WordPress plugin, affecting over 600,000 active installations worldwide.  The vulnerability, assigned CVE-2025-6463 with a high CVSS rating of 8.8, allows unauthenticated attackers to delete critical system files, including wp-config.php, potentially leading to complete site takeover and remote code execution. Summary1. Forminator plugin […] The post Critical WordPress Plugin Vulnerability Exposes 600,000+ Sites to Remote Takeover appeared first on Cyber Security News.

---

Stealthy WordPress Malware Deliver Windows Trojan via PHP Backdoor

A sophisticated multi-stage malware campaign has been discovered targeting WordPress websites, employing an intricate infection chain that delivers Windows trojans to unsuspecting visitors while maintaining complete invisibility to standard security checks. The malware represents a significant evolution in web-based attack techniques, combining PHP backdoors with advanced evasion mechanisms to establish persistent access to victim systems. […] The post Stealthy WordPress Malware Deliver Windows Trojan via PHP Backdoor appeared first on Cyber Security News.

---

Sophisticated Malware Campaign Targets WordPress and WooCommerce Sites with Obfuscated Skimmers

A sophisticated malware campaign has emerged targeting WordPress and WooCommerce websites with highly obfuscated credit card skimmers and credential theft capabilities, representing a significant escalation in e-commerce cyberthreats. The malware family demonstrates advanced technical sophistication through its modular architecture, featuring multiple variants designed for different malicious purposes including payment data theft, WordPress credential harvesting, and […] The post Sophisticated Malware Campaign Targets WordPress and WooCommerce Sites with Obfuscated Skimmers appeared first on Cyber Security News.

---

Dropping security updates for WordPress versions 4.1 through 4.6

As of July 2025, the WordPress Security Team will no longer provide security updates for WordPress versions 4.1 through 4.6. These versions were first released nine or more years ago and over 99% of WordPress installations run a more recent version. The chances this will affect your site, or sites, is very small. If you […]

---

Hundreds of WordPress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services

A sophisticated cybercriminal enterprise known as VexTrio has orchestrated one of the most extensive WordPress compromise campaigns ever documented, hijacking hundreds of thousands of websites globally to operate massive traffic distribution systems (TDS) that funnel victims into elaborate scam networks. This malicious operation, which has been active since at least 2015, represents a paradigm shift […] The post Hundreds of WordPress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services appeared first on Cyber Security News.

---

WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network

The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own that's designed to distribute malicious content. "VexTrio is a group of malicious adtech companies that distribute scams and harmful software via

---

WordPress Admins Beware! Fake Cache Plugin that Steals Admin Logins

A sophisticated malware campaign targeting WordPress administrators has been discovered, utilizing a deceptive caching plugin to steal login credentials and compromise website security.  Security researchers have identified a malicious plugin disguised as “wp-runtime-cache” that specifically targets users with administrative privileges, exfiltrating sensitive authentication data to external servers controlled by cybercriminals. Fake WordPress Cache Steals Logins […] The post WordPress Admins Beware! Fake Cache Plugin that Steals Admin Logins appeared first on Cyber Security News.

---

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social

---

WordPress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack

A critical security vulnerability in the popular TI WooCommerce Wishlist plugin has left over 100,000 WordPress websites exposed to potential cyberattacks, with security researchers warning of imminent exploitation risks. The vulnerability, designated as CVE-2025-47577 and assigned the maximum CVSS score of 10.0, enables unauthenticated attackers to upload arbitrary files to affected websites, potentially leading to […] The post WordPress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes 22,000 Sites to Cyber Attacks

A critical security vulnerability discovered in the popular Motors WordPress theme has exposed approximately 22,000 websites to significant risk.  Security researchers have identified a privilege escalation vulnerability that allows unauthenticated attackers to take over administrative accounts, potentially compromising the entire website.  This vulnerability (CVE-2025-4322) carries a critical CVSS score of 9.8 and affects all versions […] The post WordPress Plugin Vulnerability Exposes 22,000 Sites to Cyber Attacks appeared first on Cyber Security News.

---

Critical WordPress Plugin Vulnerability Exposes 10K+ Sites to Cyber Attack

A severe privilege escalation vulnerability has been discovered in the popular WordPress plugin Eventin, putting more than 10,000 websites at risk of complete compromise. The vulnerability, now tracked as CVE-2025-47539, allows unauthenticated attackers to create administrator accounts without any user interaction, giving them full control over affected websites. Security researchers are urging site owners to […] The post Critical WordPress Plugin Vulnerability Exposes 10K+ Sites to Cyber Attack appeared first on Cyber Security News.

---

82,000+ WordPress Sites Exposed to Remote Code Execution Attacks

Critical vulnerabilities were identified in TheGem, a premium WordPress theme with more than 82,000 installations worldwide.  Researchers identified two separate but interconnected vulnerabilities in TheGem theme versions 5.10.3 and earlier.  When combined, these vulnerabilities create a dangerous attack vector that could lead to remote code execution and complete site compromise. “The downloaded file is copied […] The post 82,000+ WordPress Sites Exposed to Remote Code Execution Attacks appeared first on Cyber Security News.

---

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws

A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  "This is due to the create_wp_connection() function missing a capability check and

---

Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server

---

New WordPress Malware as Anti-Malware Plugin Take Full Control of Website

A sophisticated malware variant masquerading as a legitimate WordPress security plugin has been identified, capable of providing attackers with persistent access to compromised websites. The malicious code appears in the file system under innocuous names such as ‘WP-antymalwary-bot.php’ or ‘wp-performance-booster.php’, creating a facade of legitimacy while harboring dangerous capabilities including remote code execution, administrator access […] The post New WordPress Malware as Anti-Malware Plugin Take Full Control of Website appeared first on Cyber Security News.

---

100,000+ Installed WordPress Plugin Critical Vulnerability Exploited Within 4 Hours of Disclosure

A severe vulnerability in the popular WordPress plugin SureTriggers has been actively exploited within just four hours of its public disclosure on April 10, 2025.  The critical authentication bypass flaw affects all versions of the plugin up to 1.0.78, which has over 100,000 installations worldwide.  This vulnerability allows unauthenticated attackers to create administrative user accounts […] The post 100,000+ Installed WordPress Plugin Critical Vulnerability Exploited Within 4 Hours of Disclosure appeared first on Cyber Security News.

---

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The

---

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the

---

WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries

A critical vulnerability in GamiPress, a popular WordPress plugin used for gamification and rewards systems on websites.  The high-impact flaw, categorized as CVE-2024-13496 with a CVSS 3.1 score of 7.5, allowed unauthenticated attackers to inject malicious SQL queries that could potentially compromise entire WordPress installations.  The vulnerability, which affected all GamiPress versions up to 7.3.1, […] The post WordPress Plug-in Vulnerability Let Hackers Inject Malicious SQL Queries appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks

A critical vulnerability in WP Ghost, a popular WordPress security plugin with over 200,000 active installations.  The high-severity flaw, tracked as CVE-2025-26909 with a CVSS score of 9.6, allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability that can lead to Remote Code Execution (RCE).  Website administrators are strongly advised to update immediately […] The post WordPress Plugin Vulnerability Exposes 200k+ Sites to Code Execution Attacks appeared first on Cyber Security News.