Latest Updates and Insights on WordPress Security
07 January 2025
PhishWP, a newly discovered WordPress plugin, is being used by cybercriminals to maliciously convert legitimate websites into phishing traps, putting user data at risk. Cybercriminals created the WordPress plugin PhishWP. It generates fake payment pages that closely resemble legitimate providers like Stripe. Threat actors use it to steal sensitive data, including browser metadata, credit card […]
The post WordPress Plugin Weaponizes Legit Sites To Steal Customer Payment Data appeared first on Cyber Security News.
18 December 2024
A threat actor labelled as MUT-1244 has stolen more than 390,000 WordPress credentials.
17 December 2024
A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML). This flaw, stemming from a Server-Side Template Injection (SSTI) vulnerability in the Twig template engine, allowed attackers to execute arbitrary code on the affected websites. Rated as critical with a CVSS score of 9.9, the vulnerability […]
The post RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend appeared first on Cyber Security News.
13 December 2024
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.
The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that
12 December 2024
Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks.
The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations.
"This flaw poses a significant security risk, as it
05 December 2024
A newly disclosed vulnerability in the Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress has raised concerns among website administrators and developers. The flaw, identified as CVE-2024-10178, allows attackers with contributor-level access or higher to inject malicious scripts into web pages through the plugin’s Countdown widget. While this vulnerability affects […]
The post WordPress Gutenberg Editor Vulnerability Let Attackers Inject Malicious Scripts appeared first on Cyber Security News.
26 November 2024
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution.
The vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, carry a CVSS score of 9.8 out of a maximum of 10.0. They were addressed in versions
26 November 2024
A critical vulnerability was discovered on October 30th, 2024 in the Anti-Spam by CleanTalk WordPress plugin, potentially affecting over 200,000 active installations. This flaw allows unauthenticated attackers to install and activate arbitrary plugins, which could lead to remote code execution on vulnerable sites. Vulnerabilities that were discovered in the WordPress plugin are tracked as “CVE-2024-10542” […]
The post WordPress Plugin Flaw Exposes 200,000 WordPress Sites To Hacking appeared first on Cyber Security News.
17 November 2024
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The
15 November 2024
A critical security flaw in one of WordPress’s most popular plugins has left over 4 million websites vulnerable to potential hacking attempts. The Really Simple Security plugin, formerly known as Really Simple SSL, contains an authentication bypass vulnerability that could allow attackers to gain full administrative access to affected sites. The vulnerability, discovered by the […]
The post WordPress Plugin Vulnerability Exposes 4M+ Websites To Hackers appeared first on Cyber Security News.
31 October 2024
A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.
"The plugin suffers from an unauthenticated privilege escalation vulnerability
15 October 2024
The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site.
Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million
12 October 2024
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem. On October 3rd, the ACF team announced […]
04 October 2024
A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.
It was
01 October 2024
The flaw allows attackers to execute code remotely by injecting a malicious PHP object due to improper handling of input during deserialization. This flaw is similar to CVE-2024-5932 but bypasses certain checks, making it even more dangerous.
27 September 2024
I’ve heard from WP Engine customers that they are frustrated that WP Engine hasn’t been able to make updates, plugin directory, theme directory, and Openverse work on their sites. It saddens me that they’ve been negatively impacted by Silver Lake‘s commercial decisions. On WP Engine’s homepage, they promise “Unmatched performance, automated updates, and bulletproof security […]
27 September 2024
Security researchers have found critical flaws in the Jupiter X Core WordPress plugin, affecting over 90,000 websites. The vulnerabilities could allow attackers to take control of websites or hijack user accounts, including admin accounts.
26 September 2024
A critical SQL injection vulnerability has been discovered in The Events Calendar WordPress plugin (CVE-2024-8275), affecting all versions up to 6. 6. 4. The vulnerability has a CVSS score of 9. 8, indicating a high level of severity.
25 September 2024
Pending their legal claims and litigation against WordPress.org, WP Engine no longer has free access to WordPress.org's resources.
23 September 2024
Thousands of WordPress sites have been exposed to potential threats due to vulnerabilities in the Houzez theme and WordPress Houzez Login Register plugin. The flaw is identified as CVE-2024-22303 and CVE-2024-21743. It affects versions up to 3.2.4 and 3.2.5 and is classified as a high-priority issue with a CVSS score of 8.8, indicating significant risk. CVE-2024-22303 […]
The post WordPress Theme & Plugin Vulnerabilities Exposes Thousands of Sites appeared first on Cyber Security News.