Security News

Hackers target Wordpress plugin flaw after PoC exploit released
2023-05-14 15:14

Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept exploit was made public. The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.

New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation
2023-05-12 05:43

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username.

WordPress Elementor plugin bug let attackers hijack accounts on 1M sites
2023-05-11 16:59

Essential Addons for Elementor is a library of 90 extensions for the 'Elementor' page builder, used by over one million WordPress sites. The flaw, which PatchStack discovered on May 8, 2023, is tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin's password reset functionality, impacting versions 5.4.0 to 5.7.1.

Criminal IP FDS: A WordPress Plugin to Block Brute Force Attacks
2023-05-09 14:01

To address this issue, AI Spera released a new WordPress plugin called Anti-Brute Force, Login Fraud Detector, also known as Criminal IP FDS, on May 3rd. The plugin utilizes Criminal IP, an OSINT-based search engine, to provide real-time data and intelligence technology to detect and prevent fraudulent login attempts on WordPress websites comprehensively. What to expect from Criminal IP FDS plugin for WordPress.

WordPress plugin hole puts '2 million websites' at risk
2023-05-08 22:22

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting attacks. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.

New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks
2023-05-06 05:41

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.

WordPress custom field plugin bug exposes over 1M sites to XSS attacks
2023-05-05 14:57

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks. The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites
2023-04-24 11:41

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx.

Attackers use abandoned WordPress plugin to backdoor websites
2023-04-20 20:02

Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors. Eval PHP is an old WordPress plugin that allows site admins to embed PHP code on pages and posts of WordPress sites and then execute the code when the page is opened in the browser.

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign
2023-04-10 10:16

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy's Sucuri, "Leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites.