Latest Updates and Insights on WordPress Security
26 August 2024
WordPress websites were found distributing the ClearFake Trojan malware, a dangerous threat that can lead to ransomware infections. The malware was disguised as a prompt to install a root certificate.
22 August 2024
Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges.
"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and
21 August 2024
The vulnerability, known as CVE-2024-6500, affects the InPost PL and InPost for WooCommerce plugins, allowing attackers to read and delete sensitive files like the wp-config.php configuration file.
21 August 2024
A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks.
The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164,
20 August 2024
A severe security flaw has been discovered in GiveWP, a popular WordPress donation plugin with over 100,000 active installations. The vulnerability, classified as an unauthenticated PHP Object Injection leading to Remote Code Execution (RCE), was responsibly reported through the Wordfence Bug Bounty Program on May 26th, 2024. The critical vulnerability, assigned CVE-2024-5932 with a CVSS […]
The post Critical WordPress Plugin RCE Vulnerability Impacts 100k+ Sites appeared first on Cyber Security News.
16 July 2024
A critical vulnerability has been discovered in the popular Profile Builder and Profile Builder Pro plugins, with over 50,000 active installations. The flaw, identified during a routine audit of various WordPress plugins, allows unauthenticated attackers to escalate their privileges and gain administrative access to targeted sites without possessing account credentials. CVE-2024-6695 – Unauthenticated Privilege Escalation […]
The post WordPress Plugin Flaw Let Attackers Seize Administrative Control appeared first on Cyber Security News.
10 July 2024
Hackers are targeting a vulnerability in the Modern Events Calendar WordPress plugin found on over 150,000 websites to upload files and execute code remotely. The plugin by Webnus is used to manage events.
09 July 2024
A security flaw was discovered in the Modern Events Calendar, a widely used WordPress plugin with over 150,000 active installations. The vulnerability, identified as an Arbitrary File Upload flaw, allows authenticated users, such as subscribers, to upload arbitrary files to a vulnerable site, potentially leading to remote code execution (RCE). CVE-2024-5441 – Discovery and Reporting […]
The post WordPress Calendar Plugin RCE Flaw Exposes 150,000 Sites for Hacking appeared first on Cyber Security News.
26 June 2024
WordPress has released an urgent security update, version 6.5.5, addressing critical vulnerabilities that could potentially compromise the security of millions of websites. This minor release, which also includes three bug fixes in the core, is highly recommended for immediate installation to ensure site security and stability. Key Security Fixes The WordPress 6.5.5 update addresses three […]
The post WordPress Releases Urgent Security Update to Patch XSS and Path Traversal Flaws appeared first on Cyber Security News.
26 June 2024
Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer.
A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information.
According to Sucuri, the latest campaign entails making malicious modifications to the
25 June 2024
Multiple WordPress plugins have been found to contain a backdoor that injects malicious code. This code allows attackers to create unauthorized administrator accounts, enabling them to perform malicious actions.
24 June 2024
Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.
"The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server," Wordfence security researcher Chloe Chamberland said in a Monday alert.
24 June 2024
WordPress 6.5.5 is now available! This release features three security fixes. Because this is a security release, it is recommended that you update your sites immediately. This minor release also includes 3 bug fixes in Core. You can download WordPress 6.5.5 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”. […]
09 April 2024
Note: Due to an issue with the initial package, WordPress 6.5.1 was not released. 6.5.2 is the first minor release for WordPress 6.5. This security and maintenance release features 2 bug fixes on Core, 12 bug fixes for the Block Editor, and 1 security fix. Because this is a security release, it is recommended that […]
30 January 2024
This security and maintenance release features 5 bug fixes on Core, 16 bug fixes for the Block Editor, and 2 security fixes. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later. You can download WordPress 6.4.3 from […]
06 December 2023
WordPress 6.4.2 is now available! This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect results. This release also features one security fix. Because this is a security release, it is recommended that you update your sites immediately. […]
04 December 2023
The WordPress Security Team is aware of multiple ongoing phishing scams impersonating both the “WordPress team” and the “WordPress Security Team“ in an attempt to convince administrators to install a plugin on their website which contains malware. The WordPress Security Team will never email you requesting that you install a plugin or theme on your […]
12 October 2023
This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes. WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended […]
20 May 2023
WordPress 6.2.2 is now available!
16 May 2023
WordPress 6.2.1 is now available! This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. This release also features several security fixes. Because this is a security release, it is […]