Security News
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. Based on statitics from wordpress.org, there are roughly 150,000 sites that run a vulnerable version of the plugin that is lower than 2.8.
A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed coordinated attack waves leveraging known flaws in WordPress themes and addons, it was later discovered that Balada Injector was a massivee operation running since 2017 that had compromised more than 17,000 WordPress sites.
Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming...
WordPress hosting provider Kinsta is warning customers that Google ads have been observed promoting phishing sites to steal hosting credentials. Kinsta says the phishing attacks aim to steal login credentials for MyKinsta, a key service the company offers to manage WordPress and other cloud-based apps.
A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.The security bug was discovered by a team of bug hunters known as Nex Team, who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable...
WordPress is a highly popular open-source content management system used for creating and managing websites.The project's security team discovered a Property Oriented Programming chain vulnerability that was introduced in WordPress core 6.4, which under certain conditions could allow arbitrary PHP code execution.
WordPress administrators are being emailed fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 to infect sites with a malicious plugin. The emails pretend to be from WordPress, warning that a new critical remote code execution flaw in the platform was detected on the admin's site, urging them to download and install a plugin that allegedly addresses the security issue.
The WordPress plugin WP Fastest Cache is vulnerable to an SQL injection vulnerability that could allow unauthenticated attackers to read the contents of the site's database. WP Fastest Cache is a caching plugin used to speed up page loads, improve visitor experience, and boost the site's ranking on Google search.
A critical severity vulnerability impacting Royal Elementor Addons and Templates up to version 1.3.78 is reported to be actively exploited by two WordPress security teams. Two WordPress security firms, Wordfence and WPScan, have marked CVE-2023-5360 as actively exploited since August 30, 2023, with the attack volume ramping up starting on October 3, 2023.