Security News

All-In-One Security, a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website."

Every website owner or webmaster grapples with the issue of spam on their website forms. CleanTalk Anti-Spam is a cloud-based tool designed to block various types of spam that website administrators encounter daily.

If you run a WordPress site with the Ultimate Members plugin installed, make sure you've updated it to the latest version. The plugin doesn't allow users to enter this value, but this filter turns out to be easy to bypass, making it possible to edit wp capabilities and become an admin.

As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites.

Hackers exploit a zero-day privilege escalation vulnerability in the 'Ultimate Member' WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts. Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.

A critical security flaw has been disclosed in miniOrange's Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982, the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4.

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.

The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin. WooCommerce Stripe Payment is a payment gateway for WordPress e-commerce sites, which currently has 900,000 active installations.

Cybersecurity researchers have unearthed a new ongoing Magecart-style web skimmer campaign that's designed to steal personally identifiable information and credit card data from e-commerce websites. "Attackers employ a number of evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager," Akamai security researcher Roman Lvovsky said.

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that's installed on over five million sites.The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in November 2012.