Tag: wordpress
-
20,000 WordPress Sites at Risk From Plugin Admin Backdoor
A backdoor bug in a WordPress plugin with 20,000+ installs lets attackers create admin accounts without logging in. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/20000-wordpress-sites-at-risk-from-plugin-admin-backdoor/
-
20,000 WordPress Sites Compromised by Backdoor Vulnerability Enabling Malicious Admin Access
A critical backdoor vulnerability discovered in the LA-Studio Element Kit for the Elementor plugin poses an immediate threat to more than 20,000 WordPress installations. The vulnerability, tracked as CVE-2026-0920 with a CVSS severity rating of 9.8 (Critical), enables unauthenticated attackers to create administrator accounts and achieve complete site compromise. The function fails to properly restrict…
-
RealHomes CRM Plugin Flaw Affected 30,000 WordPress Sites
Security flaw in RealHomes CRM plugin allowed file uploads; patches released for 30,000+ sites First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/realhomes-crm-plugin-flaw/
-
Critical Vulnerability in Advanced Custom Fields: Extended Plugin Puts 100,000 WordPress Sites at Risk
A critical security flaw has been discovered in a widely used ACF add-on plugin for WordPress, placing up to 100,000 websites at risk of a full site takeover. The vulnerability affects the Advanced Custom Fields: Extended plugin, an add-on designed to extend the functionality of the popular Advanced Custom Fields ecosystem. An advisory issued about…
-
ACF plugin bug gives hackers admin on 50,000 WordPress sites
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
-
Critical WordPress Plugin Vulnerability Exposes 100,000+ Websites to Privilege Escalation Attacks
A critical privilege escalation vulnerability discovered in the Advanced Custom Fields: Extended WordPress plugin threatens over 100,000 active installations. The vulnerability, identified as CVE-2025-14533 with a CVSS score of 9.8, allows unauthenticated attackers to elevate their privileges to administrative by exploiting a misconfigured user registration form. The Advanced Custom Fields: Extended plugin, an addon for…
-
All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users
A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token…
-
Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover
A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation. Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10). Modular DS is a WordPress plugin with over 40,000 installs that helps manage multiple sites, enabling monitoring, updates, and remote administration. In plugin…
-
40K WordPress Installs at Risk From Modular DS Admin Bypass
CVE-2026-23550 is being exploited to gain unauthenticated admin access via the Modular DS WordPress plugin. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/40k-wordpress-installs-at-risk-from-modular-ds-admin-bypass/
-
Hackers exploit Modular DS WordPress plugin flaw for admin access
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/
-
PoC Released for Atarim Plugin Auth Bypass Vulnerability
A security researcher has published proof-of-concept code for a critical authentication bypass vulnerability in the Atarim WordPress plugin that could allow attackers to steal sensitive user data and system configuration details. The flaw, tracked as CVE-2025-60188, affects versions of the plugin that use insecure HMAC-based authentication. Field Details CVE ID CVE-2025-60188 GHSA ID GHSA-648j-fchv-3hrv Vulnerability…
-
WordPress Admins Targeted by Renewal Email Phishing Scam
A phishing campaign targeting WordPress admins uses fake renewal emails to steal credit card data and 2FA codes in real time. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/wordpress-admins-targeted-by-renewal-email-phishing-scam/
-
Motors WordPress Vulnerability Exposes Sites to Takeover
A critical flaw in the Motors WordPress theme affecting more than 20,000 installations allows low-privileged users to gain full control of websites First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/motors-wordpress-flaw-takeover/
-
Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks
A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence.The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August…
-
WordPress Plugin Vulnerability Under Active Attack, Allowing Remote Code Execution
A severe remote code execution vulnerability in the Sneeit Framework WordPress plugin is under active exploitation, with attackers launching thousands of attacks within hours of public disclosure. WordPress site administrators must immediately update to version 8.4 or later to prevent complete site compromise. On June 10th, 2025, a remote code execution vulnerability was discovered in…
-
WordPress Plugin Vulnerability Under Active Attack, Allowing Remote Code Execution
A severe remote code execution vulnerability in the Sneeit Framework WordPress plugin is under active exploitation, with attackers launching thousands of attacks within hours of public disclosure. WordPress site administrators must immediately update to version 8.4 or later to prevent complete site compromise. On June 10th, 2025, a remote code execution vulnerability was discovered in…
-
WordPress Plugin Vulnerability Under Active Attack, Allowing Remote Code Execution
A severe remote code execution vulnerability in the Sneeit Framework WordPress plugin is under active exploitation, with attackers launching thousands of attacks within hours of public disclosure. WordPress site administrators must immediately update to version 8.4 or later to prevent complete site compromise. On June 10th, 2025, a remote code execution vulnerability was discovered in…
-
King Addons flaw lets anyone become WordPress admin
Hackers are exploiting a King Addons flaw (CVE-2025-8489) that lets anyone register and instantly gain admin privileges on WordPress sites. Hackers are exploiting a critical vulnerability, tracked as CVE-2025-8489 (CVSS score of 9.8), in the WordPress plugin King Addons for Elementor that allows unauthenticated users to create admin accounts via a registration privilege bug. King…
-
Critical flaw in WordPress add-on for Elementor exploited in attacks
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/
-
PoC Published for W3 Total Cache Flaw Exposing 1M+ Sites to RCE
Security researchers have published a proof-of-concept exploit for a critical remote code execution vulnerability in W3 Total Cache, one of WordPress’s most popular caching plugins with over one million active installations. The flaw, tracked as CVE-2025-9501, allows attackers to execute arbitrary code on vulnerable websites under specific conditions. Field Details CVE ID CVE-2025-9501 Affected Product…
-
PoC Published for W3 Total Cache Flaw Exposing 1M+ Sites to RCE
Security researchers have published a proof-of-concept exploit for a critical remote code execution vulnerability in W3 Total Cache, one of WordPress’s most popular caching plugins with over one million active installations. The flaw, tracked as CVE-2025-9501, allows attackers to execute arbitrary code on vulnerable websites under specific conditions. Field Details CVE ID CVE-2025-9501 Affected Product…
-
W3 Total Cache WordPress plugin vulnerable to PHP command injection
A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/w3-total-cache-wordpress-plugin-vulnerable-to-php-command-injection/
-
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search
SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
-
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search
SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
-
W3 Total Cache Vulnerability Puts Over One Million WordPress Sites at Risk
A severe security flaw has been discovered in the popular W3 Total Cache WordPress plugin, potentially exposing more than one million websites to remote code execution (RCE). The vulnerability, of First seen on thecyberexpress.com Jump to article: thecyberexpress.com/w3-total-cache-cve-2025-9501-wordpress-risk/
-
W3 Total Cache Security Vulnerability Exposes One Million WordPress Sites to RCE
A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk. The vulnerability allows attackers to take complete control of affected websites without needing any login credentials. Field Value CVE ID CVE-2025-9501 Plugin Name W3 Total Cache Affected Versions Before 2.8.13 Fixed…
-
W3 Total Cache Security Vulnerability Exposes One Million WordPress Sites to RCE
A critical security flaw has been discovered in the widely used W3 Total Cache WordPress plugin, putting over 1 million websites at serious risk. The vulnerability allows attackers to take complete control of affected websites without needing any login credentials. Field Value CVE ID CVE-2025-9501 Plugin Name W3 Total Cache Affected Versions Before 2.8.13 Fixed…
-
GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites
The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress.The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of…
-
GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites
The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress.The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of…
-
AI Engine Flaw Exposes 100,000 WordPress Sites to Attack
A flaw in the AI Engine plugin exposed 100,000 WordPress sites to takeover attacks. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/news-wordpress-vulnerability-100k-impact/