Security News

Two vulnerabilities - including a high-severity flaw - have been patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup - potentially opening up more than 100,000 websites to takeover.

More than 100,000 WordPress websites were potentially affected by a series of vulnerabilities recently discovered and addressed in the Popup Builder plugin. Designed to help with the creation and management of promotional modal pop-ups for WordPress blogs and websites, Popup Builder also includes the ability to run custom JavaScript code when the pop-up is loaded.

A critical vulnerability in a WordPress plugin known as "ThemeREX Addons" could open the door for remote code execution in tens of thousands of websites. The plugin, which is installed on approximately 44,000 sites, is used to apply various "Skins" that govern the look and feel of web destinations, including theme-enhancing features and widgets.

How confident are you with the security of your WordPress deployments? If you're not 100% confident, you need to make use of the wpscan tool.

How confident are you with the security of your WordPress deployments? If you're not 100% confident, you need to make use of the wpscan tool. Considering how prevalent the open source WordPress blogging platform installations are, chances are good that you have a deployment or two to manage.

Patches released over the past several days for multiple WordPress plugins address vulnerabilities that have been actively exploited as part of the same website takeover campaign. The plugin is impacted by a vulnerability described as an "Unauthenticated stored XSS via plugin settings change."

Thousands of active WordPress plugins have been hit with a swathe of cross-site scripting vulnerabilities that could give attackers complete control of sites. Researchers at NinTechNet found a vulnerability in the WordPress Flexible Checkout Fields for WooCommerce plugin, which enhances the popular WordPress ecommerce system with the ability to configure custom checkout fields using a simple user interface.

Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. Researchers at Wordfence who discovered the in-the-wild attacks said in a post Thursday that 50,000 of those attacks occurred before Duplicator creator Snap Creek released a fix for the bug last week on Feb. 12 - so it was also exploited in the wild as a zero-day.

An active supply chain campaign that has been ongoing since late 2017 has infected at least 20,000 websites via malicious WordPress themes and plugins, Prevailion reports. Dubbed PHPs Labyrinth, the campaign used 30 different WordPress marketplace platforms to distribute trojanized versions of premium themes.

Vulnerabilities in two popular WordPress plugins, ThemeREX Addons and ThemeGrill Demo Importer, are being exploited to hack websites. Just days after the existence of the flaw was made public, ThemeGrill customers started reporting that the security hole had apparently been exploited to hack their websites.