Tag: wordpress
-
NDSS 2025 The (Un)usual Suspects Studying Reasons For Lacking Updates In WordPress
SESSION Session 2B: Web Security Authors, Creators & Presenters: Maria Hellenthal (CISPA Helmholtz Center for Information Security), Lena Gotsche (CISPA Helmholtz Center for Information Security), Rafael Mrowczynski (CISPA Helmholtz Center for Information Security), Sarah Kugel (Saarland University), Michael Schilling (CISPA Helmholtz Center for Information Security), Ben Stock (CISPA Helmholtz Center for Information Security) PAPER The…
-
NDSS 2025 The (Un)usual Suspects Studying Reasons For Lacking Updates In WordPress
SESSION Session 2B: Web Security Authors, Creators & Presenters: Maria Hellenthal (CISPA Helmholtz Center for Information Security), Lena Gotsche (CISPA Helmholtz Center for Information Security), Rafael Mrowczynski (CISPA Helmholtz Center for Information Security), Sarah Kugel (Saarland University), Michael Schilling (CISPA Helmholtz Center for Information Security), Ben Stock (CISPA Helmholtz Center for Information Security) PAPER The…
-
Critical Site Takeover Flaw Affects 400K WordPress Sites
Attackers are already targeting a vulnerability in the Post SMTP plugin that allows them to fully compromise an account and website for nefarious purposes. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/critical-site-takeover-flaw-400k-wordpress-sites
-
Critical Site Takeover Flaw Affects 400K WordPress Sites
Attackers are already targeting a vulnerability in the Post SMTP plugin that allows them to fully compromise an account and website for nefarious purposes. First seen on darkreading.com Jump to article: www.darkreading.com/vulnerabilities-threats/critical-site-takeover-flaw-400k-wordpress-sites
-
AI Engine WordPress Plugin Exposes 100,000 WordPress Sites to Privilege Escalation Attacks
A critical vulnerability discovered in the AI Engine WordPress plugin threatens over 100,000 active installations worldwide. On October 4th, 2025, security researchers identified a Sensitive Information Exposure vulnerability that allows unauthenticated attackers to extract bearer tokens and escalate their privileges to administrator level. The vulnerability, tracked as CVE-2025-11749 with a CVSS rating of 9.8 (Critical),…
-
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/
-
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-post-smtp-to-hijack-admin-accounts/
-
Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover
A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web. The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites. Researchers have already documented over 4,500 exploitation…
-
Hackers exploit critical auth bypass flaw in JobMonster WordPress theme
Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-flaw-in-jobmonster-wordpress-theme/
-
Hackers exploit critical auth bypass flaw in JobMonster WordPress theme
Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-critical-auth-bypass-flaw-in-jobmonster-wordpress-theme/
-
WordPress security plugin exposes private data to site subscribers
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/
-
WordPress security plugin exposes private data to site subscribers
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-security-plugin-exposes-private-data-to-site-subscribers/
-
Mass Attack Targets WordPress via GutenKit and Hunk Companion Plugins
Mass exploitation attacks are once again targeting WordPress websites, this time through serious vulnerabilities in two popular plugins,… First seen on hackread.com Jump to article: hackread.com/wordpress-mass-attack-gutenkit-hunk-companion-plugins/
-
Critical WordPress Plugin Bugs Exploited En Masse
Wordfence says threat actors are trying to exploit three critical vulnerabilities from 2024 First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/critical-wordpress-plugin-bugs/
-
Critical WordPress Plugin Bugs Exploited En Masse
Wordfence says threat actors are trying to exploit three critical vulnerabilities from 2024 First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/critical-wordpress-plugin-bugs/
-
Wordfence blocks 8.7M attacks exploiting old GutenKit and Hunk Companion flaws
Hackers exploited old RCE flaws in WordPress GutenKit and Hunk Companion plugins. Wordfence firm blocked 8.7M attacks in two days. In September and October 2024, submissions revealed Arbitrary Plugin Installation vulnerabilities in GutenKit and Hunk Companion WordPress plugins, with 40,000 and 8,000+ installs, respectively. These flaws allow unauthenticated attackers to install plugins and achieve RCE.…
-
Wordfence blocks 8.7M attacks exploiting old GutenKit and Hunk Companion flaws
Hackers exploited old RCE flaws in WordPress GutenKit and Hunk Companion plugins. Wordfence firm blocked 8.7M attacks in two days. In September and October 2024, submissions revealed Arbitrary Plugin Installation vulnerabilities in GutenKit and Hunk Companion WordPress plugins, with 40,000 and 8,000+ installs, respectively. These flaws allow unauthenticated attackers to install plugins and achieve RCE.…
-
Hackers Exploit WordPress Arbitrary Installation Vulnerabilities in the Wild
Tags: control, cyber, cybersecurity, exploit, flaw, hacker, malicious, software, vulnerability, wordpressCybersecurity firm Wordfence has uncovered a renewed wave of mass exploitation targeting critical vulnerabilities in two popular WordPress plugins, allowing unauthenticated attackers to install malicious software and potentially seize control of websites. The flaws, first disclosed in late 2024, affect GutenKit and Hunk Companion plugins, which boast over 40,000 and 8,000 active installations respectively. Despite…
-
Hackers launch mass attacks exploiting outdated WordPress plugins
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE). First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/
-
Kritische Sicherheitslücke in WordPress-Theme ‘Service Finder<<
Eine schwere Sicherheitslücke im WordPress-Theme ‘Service Finder” und dem zugehörigen Plugin ‘Bookings” wird derzeit aktiv von Angreifern ausgenutzt. Die als CVE-2025-5947 katalogisierte Schwachstelle ermöglicht es Unbefugten, sich ohne gültige Zugangsdaten als Administrator anzumelden und die vollständige Kontrolle über betroffene Websites zu übernehmen. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cloud-security/service-finder-sicherheitsluecke
-
Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites
A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems.”UNC5142 is characterized by its use of compromised WordPress websites and ‘EtherHiding,’ a technique used…
-
Critical WordPress Plugin Vulnerability Allows Admin Account Takeover
Critical WordPress flaw lets attackers gain admin control, stressing the need for fast patching. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/critical-wordpress-plugin-vulnerability-allows-admin-account-takeover/
-
Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit
An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately. First seen on hackread.com Jump to article: hackread.com/auth-bypass-service-finder-wordpress-plugin-exploit/
-
CVE-2025-5947: WordPress Plugin flaw lets hackers access Admin accounts
Threat actors are exploiting a critical flaw, tracked as CVE-2025-5947, in the Service Finder WordPress theme’s Bookings plugin. Threat actors are exploiting a critical vulnerability, tracked as CVE-2025-5947 (CVSS score 9.8), in the Service Finder WordPress theme’s Bookings plugin. The plugin (versions ≤6.0) has an authentication bypass issue allowing attackers to log in as any…
-
Hackers Targeting WordPress Plugin Vulnerability to Seize Admin Access
A critical authentication bypass in the Service Finder Bookings plugin has enabled unauthenticated attackers to assume administrator privileges on thousands of WordPress sites. Exploitation began within 24 hours of public disclosure, and over 13,800 exploit attempts have been blocked by the Wordfence Firewall to date. On June 8, 2025, a submission to the Wordfence Bug…
-
Hackers Targeting WordPress Plugin Vulnerability to Seize Admin Access
A critical authentication bypass in the Service Finder Bookings plugin has enabled unauthenticated attackers to assume administrator privileges on thousands of WordPress sites. Exploitation began within 24 hours of public disclosure, and over 13,800 exploit attempts have been blocked by the Wordfence Firewall to date. On June 8, 2025, a submission to the Wordfence Bug…