50K WordPress sites exposed to RCE attacks by critical bug in backup plugin
A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.
Hackers exploit critical flaw in WordPress Royal Elementor plugin
A critical severity vulnerability impacting Royal Elementor Addons and Templates up to version 1.3.78 is reported to be actively exploited by two WordPress security teams.
Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins
Discover the latest waves of the ongoing Balada Injector malware campaign targeting unpatched tagDiv premium WordPress themes. Dive into the technical details of the injected scripts, explore their functionality, and understand the potential threats they pose to site administrators.
Phishing pages placed on hacked websites
Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site.
WordPress plugin installed on 1 million+ sites logged plaintext passwords
AIOS bills itself as an "all-in-one" security solution. A just-fixed bug undermined that.
‘Gravity Forms’ WordPress Plugin Found Vulnerable to PHP Object Injection
Gravity Forms, a popular WordPress plugin, has been found vulnerable to unauthenticated PHP Object Injection attacks.
Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign
The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing ...Read More
WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers
A vulnerability in a WordPress plugin exposed the official website of sports car maker Ferrari to hacker attacks.
The Race to Patch: Attackers Leverage Sample Exploit Code in Wordpress Plugin | Akamai
The time for attackers to respond to known vulnerabilities is shrinking. See an example of an attacker using sample code. * The Akamai Security Intelligence Group (SIG) has been analyzing attack attempt activity following the announcement of a critical vulnerability in a WordPress custom fields plug-in affecting more than 2 million sites. * Exploiting this vulnerability could lead to a reflected cross-site scripting (XSS) attack, in which malicious code is injected into a victim site and pushed to its visitors. * On May 4, 2023, the WP Engine team announced the security fix in version 6.1.6, including sample exploit code as a proof of concept (PoC). * Starting on May 6, less than 48 hours after the announcement, the SIG observed significant attack attempt activity, scanning for vulnerable sites using the sample code provided in the technical write-up. * This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management.
Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites
This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2. Patchstack Developer and Business plan users are protected from the vulnerability. You can also sign up for the Patchstack Community plan to be notified about vulnerabilities […]
WordPress Advanced Custom Fields Pro plugin 6.1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.
Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign
A synopsis of the massive ongoing WordPress malware campaign: Balada Injector, including common techniques, functionalities, and vulnerability exploits used in attacks.
Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign
Learn how fake URL shorteners are redirecting hacked website traffic to crypto themed websites to generate fraudulent AdSense revenue.
SQL Injection in Multiple WordPress Plugins
- Paid Memberships Pro : CVE-2023-23488 - Unauthenticated SQL Injection * Easy Digital Downloads: CVE-2023-23489 - Unauthenticated SQL Injection * Survey Maker: CVE-2023-23490 - Authenticated SQL Injection
Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign
A synopsis of the massive ongoing WordPress malware campaign: Balada Injector, including common techniques, functionalities, and vulnerability exploits used in attacks.
Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign
Learn how fake URL shorteners are redirecting hacked website traffic to crypto themed websites to generate fraudulent AdSense revenue.
SQL Injection in Multiple WordPress Plugins
* Paid Memberships Pro : CVE-2023-23488 - Unauthenticated SQL Injection * Easy Digital Downloads: CVE-2023-23489 - Unauthenticated SQL Injection * Survey Maker: CVE-2023-23490 - Authenticated SQL Injection