Security News

Automattic, the company behind the open-source WordPress content management system, has started force installing a security patch on millions of websites today to address a critical vulnerability in the Jetpack WordPress plug-in. According to the official WordPress plug-in repository, the plug-in is maintained by Automattic, and it now has over 5 million active installations.

The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection. Gravity Forms is a custom form builder website owners use for creating payment, registration, file upload, or any other form required for visitor-site interactions or transactions.

Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. WordPress security company Defiant, which spotted the attacks, says the vulnerability in question also allows unauthenticated attackers to create rogue admin accounts on WordPress websites running unpatched plugin versions.

Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites.

Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept exploit was made public. The vulnerability in question is CVE-2023-30777, a high-severity reflected cross-site scripting flaw that allows unauthenticated attackers to steal sensitive information and escalate their privileges on impacted WordPress sites.

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username.

Essential Addons for Elementor is a library of 90 extensions for the 'Elementor' page builder, used by over one million WordPress sites. The flaw, which PatchStack discovered on May 8, 2023, is tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin's password reset functionality, impacting versions 5.4.0 to 5.7.1.

To address this issue, AI Spera released a new WordPress plugin called Anti-Brute Force, Login Fraud Detector, also known as Criminal IP FDS, on May 3rd. The plugin utilizes Criminal IP, an OSINT-based search engine, to provide real-time data and intelligence technology to detect and prevent fraudulent login attempts on WordPress websites comprehensively. What to expect from Criminal IP FDS plugin for WordPress.

WordPress users with the Advanced Custom Fields plugin on their website should upgrade after the discovery of a vulnerability in the code that could open up sites and their visitors to cross-site scripting attacks. Because of the hundreds of millions of sites that use it, WordPress also has become a popular target of miscreants that want to exploit any flaws in the system - it's where the money is.

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw. "This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.