Tag: wordpress
-
SQL Injection Vulnerability in Ally WordPress Plugin Exposes 200K+ Sites
SQL injection flaw in Ally WordPress plugin exposes 200,000+ sites to data theft. Patch released, but most installations remain unpatched and vulnerable. First seen on hackread.com Jump to article: hackread.com/sql-injection-vulnerability-ally-wordpress-plugin/
-
Breach Roundup: Russian State Actors Target Signal, WhatsApp
Also, More ClickFix Attacks and Teen Booters Arrested in Poland. This week, Russian hackers targeted Signal and WhatsApp users, permit-fee phishing hit U.S. applicants, ClickFix on WordPress sites, Microsoft patched 80 bugs, a 14K-router botnet, Polish teens held over DDoS tools and Finland warned of Russian, Chinese espionage. North Korean IT workers for hire. First…
-
Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk
A security flaw in the Ally WordPress plugin used on more than 400,000 sites could allow attackers to extract sensitive data without logging in. The post Security Flaw in WordPress Plugin Puts 400,000 Websites at Risk appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-wordpress-ally-plugin-vulnerability-400k-sites/
-
400K WordPress Sites Exposed by Elementor Ally Plugin SQL Flaw
A SQL injection flaw in the Elementor Ally plugin exposes over 400,000 WordPress sites to potential data theft. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/400k-wordpress-sites-exposed-by-elementor-ally-plugin-sql-flaw/
-
Critical SQL Injection bug in Ally plugin threatens 400,000+ WordPress sites
An unauthenticated SQL injection flaw (CVE-2026-2413) in the Ally WordPress plugin, used on 400K+ sites, could allow attackers to steal sensitive data. An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on…
-
Compromised WordPress Sites Deliver ClickFix Attacks in Global Infostealer Campaign
Over 250 legitimate websites, including news outlets and a US Senate candidate’s official webpage, been compromised to infect visitors with infostealers, warn Rapid7 researchers First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/wordpress-clickfix-infostealer/
-
Crooks compromise WordPress sites to push infostealers via fake CAPTCHA prompts
Rapid7 says crims broke into more than 250 sites globally, including a US Senate candidate’s campaign page First seen on theregister.com Jump to article: www.theregister.com/2026/03/10/crooks_hijack_wordpress_sites/
-
WordPress Plugin Flaw Lets Attackers Create Admin Accounts
A WordPress plugin flaw allows attackers to create administrator accounts and take over vulnerable sites. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/wordpress-plugin-flaw-lets-attackers-create-admin-accounts/
-
WordPress Plugin Flaw Lets Attackers Create Admin Accounts
A WordPress plugin flaw allows attackers to create administrator accounts and take over vulnerable sites. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/wordpress-plugin-flaw-lets-attackers-create-admin-accounts/
-
WordPress Membership Plugin Flaw Lets Attackers Create Admin Accounts
A critical security vulnerability in the popular WordPress User Registration & Membership plugin allows unauthenticated attackers to easily create administrator accounts. The severe flaw, officially tracked as CVE-2026-1492, currently affects all plugin versions up to and including 5.1.2. Because it requires no prior authentication or user interaction to exploit, the vulnerability carries a maximum critical…
-
WordPress membership plugin bug exploited to create admin accounts
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-membership-plugin-bug-exploited-to-create-admin-accounts/
-
Enterprise SSO for WordPress Portals
Simplify access with Enterprise SSO for WordPress portals. Secure, seamless single sign-on integration for your enterprise users. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/02/enterprise-sso-for-wordpress-portals/
-
GrayCharlie Hacks WordPress Sites, Spreads NetSupport RAT and Stealc Malware
GrayCharlie is abusing compromised WordPress sites to silently load malicious JavaScript that pushes NetSupport RAT, often followed by Stealc and SectopRAT, via fake browser updates and ClickFix lures. Insikt Group tracks GrayCharlie as a financially motivated threat actor overlapping with SmartApeSG, active since mid”‘2023, and specializing in turning legitimate WordPress sites into malware-delivery points. The…
-
CVE-2026-1357: WordPress Plugin RCE Exposes Sites to Full Takeover
CVE-2026-1357 exposes a critical WordPress WPvivid plugin flaw, allowing unauthenticated RCE, enabling attackers to upload PHP files and fully compromise sites. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/02/cve-2026-1357-wordpress-plugin-rce-exposes-sites-to-full-takeover/
-
CleanTalk Plugin for WordPress Exposes Sites to Authorization Bypass via Reverse DNS
A critical vulnerability in the popular CleanTalk Spam Protection plugin for WordPress exposes websites to complete takeover. Tracked as CVE-2026-1490, this high-severity flaw allows unauthenticated attackers to bypass authorization mechanisms and install arbitrary plugins on affected sites. The vulnerability carries a CVSS score of 9.8, indicating immediate danger to website administrators using outdated versions of…
-
WordPress plugin with 900k installs vulnerable to critical RCE flaw
A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-plugin-with-900k-installs-vulnerable-to-critical-rce-flaw/
-
WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks
Tags: attack, backup, cve, cvss, cyber, malicious, remote-code-execution, risk, vulnerability, wordpressA critical vulnerability in the popular WPvivid Backup & Migration plugin is putting more than 800,000 WordPress websites at risk of complete takeover through remote code execution (RCE) attacks. Tracked as CVE-2026-1357 and rated 9.8 on the CVSS scale, the vulnerability allows unauthenticated attackers to upload arbitrary files to vulnerable sites and execute malicious PHP…
-
Messbare WordPress-Performancesteigerung TTFB, Core-Web-Vitals und wo NVMe wirklich hilft
Tags: wordpressWordPress wird nicht einfach ‘langsam”, weil ein Schalter auf ‘falsch” steht. Es sind meist viele kleine Schalter, die zusammenkommen: Datenbankzugriffe, PHP-Ausführungen, Theme-Logik, Third-Party-Skripte, Bilder oder Cache-Ebenen. Wer Performance nachhaltig verbessern will, braucht einen Messrahmen, der vor- und nachher vergleichbar machen lässt. Was Core-Web-Vitals und TTFB tatsächlich messen Core-Web-Vitals (CWV) sind auf Nutzererlebnis optimiert. Meist […]…
-
Disclosure: SupportCandy Ticket Attachment IDOR (CVE-2026-1251)
During independent security research conducted as part of the Wordfence Bug Bounty Program, we identified a broken access control vulnerability in the SupportCandy plugin for WordPress. SupportCandy is a helpdesk and customer support ticketing plugin that enables organisations to manage user-submitted support requests directly within their WordPress environment, including the ability to upload files and”¦…
-
SQL Injection Flaw Affects 40,000 WordPress Sites
40,000 WordPress sites are vulnerable to SQL injection in Quiz and Survey Master plugin First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/wordpress-sql-injection-flaw-40000/
-
20,000 WordPress Sites at Risk From Plugin Admin Backdoor
A backdoor bug in a WordPress plugin with 20,000+ installs lets attackers create admin accounts without logging in. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/20000-wordpress-sites-at-risk-from-plugin-admin-backdoor/
-
20,000 WordPress Sites Compromised by Backdoor Vulnerability Enabling Malicious Admin Access
A critical backdoor vulnerability discovered in the LA-Studio Element Kit for the Elementor plugin poses an immediate threat to more than 20,000 WordPress installations. The vulnerability, tracked as CVE-2026-0920 with a CVSS severity rating of 9.8 (Critical), enables unauthenticated attackers to create administrator accounts and achieve complete site compromise. The function fails to properly restrict…
-
RealHomes CRM Plugin Flaw Affected 30,000 WordPress Sites
Security flaw in RealHomes CRM plugin allowed file uploads; patches released for 30,000+ sites First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/realhomes-crm-plugin-flaw/
-
Critical Vulnerability in Advanced Custom Fields: Extended Plugin Puts 100,000 WordPress Sites at Risk
A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields ecosystem. An advisory issued about…
-
ACF plugin bug gives hackers admin on 50,000 WordPress sites
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
-
Critical WordPress Plugin Vulnerability Exposes 100,000+ Websites to Privilege Escalation Attacks
A critical privilege escalation vulnerability discovered in the Advanced Custom Fields: Extended WordPress plugin threatens over 100,000 active installations. The vulnerability, identified as CVE-2025-14533 with a CVSS score of 9.8, allows unauthenticated attackers to elevate their privileges to administrative by exploiting a misconfigured user registration form. The Advanced Custom Fields: Extended plugin, an addon for…
-
All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users
A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token…
-
Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover
A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation. Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10). Modular DS is a WordPress plugin with over 40,000 installs that helps manage multiple sites, enabling monitoring, updates, and remote administration. In plugin…
-
40K WordPress Installs at Risk From Modular DS Admin Bypass
CVE-2026-23550 is being exploited to gain unauthenticated admin access via the Modular DS WordPress plugin. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/40k-wordpress-installs-at-risk-from-modular-ds-admin-bypass/
-
Hackers exploit Modular DS WordPress plugin flaw for admin access
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/