Security News

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting attacks. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks. The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx.

Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors. Eval PHP is an old WordPress plugin that allows site admins to embed PHP code on pages and posts of WordPress sites and then execute the code when the page is opened in the browser.

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy's Sucuri, "Leverages all known and recently discovered theme and plugin vulnerabilities" to breach WordPress sites.

An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits "All known and recently discovered theme and plugin vulnerabilities" to inject a Linux backdoor that researchers named Balad Injector. According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The premium plugin is estimated to be used on over 12 million sites.

Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.

Interestingly, WooCommerce suggests that even if attackers had found and exploited this vulnerability, the only information about your logon passwords they'd have been able to steal would have been so-called salted password hashes, and so the company has written that "It's unlikely that your password was compromised". As a result, it's offering the curious advice that you can get away without changing your admin password as long as [a] you're using the standard WordPress password management system and not some alternative way of handling passwords that WooCommerce can't vouch for, and [b] you're not in the habit of using the same password on multiple services.