Security News

Two critical and high severity security vulnerabilities in the highly popular "All in One" SEO WordPress plugin exposed over 3 million websites to takeover attacks. The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug and a high severity Authenticated SQL Injection.

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which disclosed details of the attacks, said Thursday it had detected and blocked more than 13.7 million attacks aimed at the plugins and themes in a period of 36 hours with the goal of taking over the websites and carrying out malicious actions.

An active attack against more than 1.6 million WordPress sites is underway, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes. In November 2020, Wordfence observed an operation that targeted this list with "Probing attacks," meant to test whether sites were unpatched and vulnerable.

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites. The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Credit card swipers are being injected into random plugins of e-commerce WordPress sites, hiding from detection while stealing customer payment details. The latest trend is injecting card skimmers into WordPress plugin files, avoiding the closely-monitored 'wp-admin' and 'wp-includes' core directories where most injections are short-lived.

Web hosting giant GoDaddy on Monday disclosed a data breach that resulted in the unauthorized access of data belonging to a total of 1.2 million active and inactive customers, making it the third security incident to come to light since 2018. In a filing with the U.S. Securities and Exchange Commission, the world's largest domain registrar said that a malicious third-party managed to gain access to its Managed WordPress hosting environment on September 6 with the help of a compromised password, using it to obtain sensitive information pertaining to its customers.

GoDaddy says the recently disclosed data breach affecting roughly 1.2 million customers has also hit multiple Managed WordPress services resellers. GoDaddy acquired these brands after buying web hosting and cloud services companies Host Europe Group in 2017 and Media Temple in 2013.

GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we're hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence. We're assuming, if the passwords had been salted-hashed-and-stretched, as you might expect, that GoDaddy would have reported the breach by saying so, given that properly-hashed passwords, once stolen, still need to be cracked by the attackers, and with well-chosen passwords and a decent hashing process, that process can take weeks, months or years.

GoDaddy, the popular internet domain registrar and web hosting company, has suffered a data breach that affected over a million of their Managed WordPress customers. For active customers: sFTP and database usernames and passwords.

GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys. GoDaddy's chief information security officer Demetrius Comes said his company "Immediately began an investigation with the help of an IT forensics firm and contacted law enforcement."