Latest Updates and Insights on WordPress Security

---

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker's control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it

---

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise. The vulnerability in question is CVE-2026-3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was

---

Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code

Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the Everest Forms Pro WordPress plugin, allowing unauthenticated attackers to inject and execute arbitrary PHP code on vulnerable websites. The flaw, tracked as CVE-2026-3300 with a CVSS score of 9.8, affects all versions up to 1.9.12 and has already been observed in widespread […] The post Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue […] The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cyber Security News.

---

WordPress Malware Abuses Steam Community Profiles for C2 Operations

A newly discovered malware campaign targeting WordPress websites has raised serious concerns across the web security community. Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel. The malware works in two […] The post WordPress Malware Abuses Steam Community Profiles for C2 Operations appeared first on Cyber Security News.

---

WP23

WordPress at 23 is simultaneously both the strongest and most precarious it’s ever been. Last week, we shipped WordPress 7 to the world. In seven days, 46% of all WordPresses, tens of millions across countless different hosting environments, are already on 7.0, auto-updated with no breakage. From a Raspberry Pi to the most secure sites […]

---

1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws

A widely used WordPress plugin powering over one million websites has been hit by two serious vulnerabilities that could allow attackers to steal sensitive data and access server files. Security researchers warn that the flaws in the Avada Builder plugin could be actively exploited if sites remain unpatched. The issues, discovered by researcher Rafie Muhammad through […] The post 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws appeared first on Cyber Security News.

---

Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks

A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a privacy-focused analytics tool. Tracked as CVE-2026-8181 with a CVSS score […] The post Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks appeared first on Cyber Security News.

---

WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently

A massive supply chain attack has been uncovered in the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations. Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites. The malicious code bypassed official security checks by leveraging a custom remote update […] The post WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently appeared first on Cyber Security News.

---

Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware

A group of trusted WordPress plugins quietly carried a hidden backdoor for eight full months, and nobody noticed until the damage had already been done. The attack, uncovered in April 2026, did not begin with a dramatic breach. It started with the silent purchase of a legitimate plugin business on a public marketplace, setting the […] The post Hackers Hide Backdoor in Trusted WordPress Plugins for 8 Months Before Activating Malware appeared first on Cyber Security News.

---

Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access

A critical security flaw found in a widely used WordPress plugin is putting thousands of websites at serious risk worldwide. Tracked as CVE-2026-1492, this vulnerability affects the User Registration & Membership plugin for WordPress and lets attackers completely bypass the login process to gain full administrator access — all without needing a username, password, or […] The post Critical WordPress Plugin Flaw Lets Attackers Bypass Authentication and Gain Admin Access appeared first on Cyber Security News.

---

50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability

A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover. Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires immediate attention from website administrators.​ Discovered by security researcher Sélim Lanouar, who […] The post 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability appeared first on Cyber Security News.

---

Hackers Compromised ILSpy WordPress Domain to Deliver Malware

A new supply chain attack targeting developers after threat actors compromised the official WordPress domain for ILSpy on April 6, 2026. Instead of providing the legitimate software, the hijacked website began redirecting visitors to a malicious webpage to deliver malware. Normally, clicking the download button on the ILSpy website sends users directly to the project’s […] The post Hackers Compromised ILSpy WordPress Domain to Deliver Malware appeared first on Cyber Security News.

---

WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites

A high-severity security flaw has been disclosed in Smart Slider 3, one of the most widely used WordPress slider builder plugins. With over 800,000 active installations, this vulnerability leaves a massive number of websites exposed to severe data theft. Tracked as CVE-2026-3098, this medium-severity flaw allows attackers with minimal permissions to access and download highly sensitive […] The post WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites appeared first on Cyber Security News.

---

WordPress 6.9.2 Release

WordPress 6.9.2 is now available! This is a security release that features several fixes. Because this is a security release, it is recommended that you update your sites immediately. You can download WordPress 6.9.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. If you have sites that support automatic […]

---

WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts

A critical security flaw, identified as CVE-2026-1492, has been found in the User Registration & Membership plugin for WordPress. This vulnerability allows unauthenticated attackers to bypass security controls and create administrator accounts, leading to a complete website takeover. The User Registration & Membership plugin helps website owners create custom registration forms and manage user profiles. However, versions up to and including 5.1.2 suffer from a […] The post WordPress Membership Plugin Vulnerability Let Attackers Create Admin Accounts appeared first on Cyber Security News.

---

GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc

A threat actor known as GrayCharlie has been compromising WordPress websites since mid-2023, silently embedding malicious JavaScript to push malware onto visiting users. The group overlaps with the previously tracked SmartApeSG cluster, also called ZPHP or HANEMONEY. Its main tool is NetSupport RAT, a remote access trojan that gives attackers direct control over infected machines. […] The post GrayCharlie Injects Malicious JavaScript into WordPress Sites to Deliver NetSupport RAT and Stealc appeared first on Cyber Security News.

---

WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks

A critical flaw in the WPvivid Backup & Migration WordPress plugin can let an unauthenticated attacker upload files and run code on the server, a path that often ends in full site takeover. The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available […] The post WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks appeared first on Cyber Security News.

---

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active

---

WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts

A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild. The vulnerability, CVE-2025-8489 (CVSS score: 9.8), is a case of privilege escalation that allows unauthenticated attackers to grant themselves administrative privileges by simply specifying the administrator user role during registration. It affects versions