Security News

Massive Balada Injector campaign attacking WordPress sites since 2017
2023-04-07 16:24

An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits "All known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor that researchers named Balad Injector. According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!
2023-04-01 04:36

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The premium plugin is estimated to be used on over 12 million sites.

Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs
2023-03-31 15:52

Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!
2023-03-24 19:48

Interestingly, WooCommerce suggests that even if attackers had found and exploited this vulnerability, the only information about your logon passwords they'd have been able to steal would have been so-called salted password hashes, and so the company has written that "It's unlikely that your password was compromised". As a result, it's offering the curious advice that you can get away without changing your admin password as long as [a] you're using the standard WordPress password management system and not some alternative way of handling passwords that WooCommerce can't vouch for, and [b] you're not in the habit of using the same password on multiple services.

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites
2023-03-24 07:51

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. It impacts versions 4.8.0 through 5.6.1.

WordPress force patching WooCommerce plugin with 500K installs
2023-03-23 21:39

Automattic, the company behind the WordPress content management system, is force installing a security update on hundreds of thousands of websites running the highly popular WooCommerce Payments for online stores."We shipped a fix and worked with the WordPress.org Plugins Team to auto-update sites running WooCommerce Payments 4.8.0 through 5.6.1 to patched versions. The update is currently being automatically rolled out to as many stores as possible," Lebens added.

Running WordPress on Azure for secure, fast and global content delivery
2023-03-20 13:06

Bringing your own WordPress installation to Azure still requires managing and patching the underlying OS and the CMS application, as you're treating Azure as just another host for virtual machines. WordPress is, at heart, a Hypertext Preprocessor application, and you should remember that the only supported PHP on Azure is the one running on Azure App Service for Linux.

Critical flaws in WordPress Houzez theme exploited to hijack websites
2023-02-27 18:19

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience.

Massive AdSense Fraud Campaign Uncovered - 10,000+ WordPress Sites Infected
2023-02-14 16:51

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infected over 10,800 websites. "The main objective is still ad fraud by artificially increasing traffic to pages which contain the AdSense ID which contain Google ads for revenue generation," Sucuri researcher Ben Martin said in a report published last week.

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages
2023-01-25 16:11

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017. According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "Track[.]violetlovelines[.]com" that's designed to redirect visitors to unwanted sites.