Security News

The downloader malware known as Gootloader is poisoning websites globally as part of an extensive drive-by and watering-hole cybercampaign that abuses WordPress sites by injecting them with hundreds of pages of fake content. Researchers with eSentire spotted a Gootloader campaign in December, infiltrating dozens of legitimate websites involved in the hotel industry, high-end retail, education, healthcare, music and visual arts, among others.

Ninja Forms, a WordPress plugin used by more than 1 million sites, contains four critical security vulnerabilities that together make it possible for a remote attacker to take over a WordPress site and create various kinds of problems. Ninja Forms offers WordPress site designers the ability to create forms using a drag-and-drop capability, with no coding skills required.

Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence. Responsive Menu is a WordPress plugin designed to help admins create W3C compliant and mobile-ready responsible site menus.

Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday. Available for more than a decade, the plugin provides users with a broad range of gallery management capabilities, such as batch upload of photos, metadata import, thumbnail editing, photo and gallery management, and more.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws. Researchers discovered two cross-site request forgery flaws - one critical and one high-severity - in the plugin.

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed. Both of them are Cross-Site Request Forgery bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting and remote code execution attacks via file upload or Local File Inclusion.

A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website. The latest WordPress plugin security vulnerability is a cross-site request forgery to stored cross-site scripting problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin.

Developers of a plugin, used by WordPress websites for building pop-up ads for newsletter subscriptions, have issued a patch for a serious flaw. The plugin has been installed on 200,000 WordPress websites.

Multiple vulnerabilities patched recently in the popular WordPress plugin Popup Builder could be exploited to perform various malicious actions on affected websites. With over 200,000 installations to date, "Popup Builder - Responsive WordPress Pop up - Subscription & Newsletter" is a plugin that helps WordPress site owners create, customize, and manage promotion modal popups.

Two vulnerabilities in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities.