Tag: wordpress
-
WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack
A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely used WordPress extension with over 100,000 active installations. This plugin enables WooCommerce store owners to integrate wishlist functionality into their online shops, often alongside other extensions like WC Fields Factory for enhanced form customization. However, the latest version (2.9.2 as…
-
Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322)
A critical vulnerability (CVE-2025-4322) in Motors, a WordPress theme popular with car/motor dealerships and rental services, can be easily exploited by unauthenticated … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/05/21/wordpress-motors-theme-cve-2025-4322-admin-account-takeover/
-
Crawlomatic WordPress plugin patched for critical 9.8 RCE flaw
First seen on scworld.com Jump to article: www.scworld.com/news/crawlomatic-wordpress-plugin-patched-for-critical-98-rce-flaw
-
Premium WordPress ‘Motors’ theme vulnerable to admin takeover attacks
A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/premium-wordpress-motors-theme-vulnerable-to-admin-takeover-attacks/
-
Security Flaw in WordPress Plugin Puts 22,000 Websites at Risk of Cyber Attacks
Critical security vulnerability has been discovered in Motors, a popular WordPress theme with over 22,000 sales, potentially exposing thousands of websites to complete takeover. Security researchers at Wordfence identified an unauthenticated privilege escalation vulnerability that allows attackers to change passwords of any user, including administrators, without requiring prior authentication. The vulnerability, identified as CVE-2025-4322 with…
-
WordPress Plugin Flaw Puts 22,000 Websites at Risk of Cyber Attacks
A severe security flaw has been uncovered in the Motors WordPress theme, a popular choice for car dealerships and listings with over 22,000 sales on ThemeForest. Researcher Foxyyy reported a critical Privilege Escalation vulnerability through the Wordfence Bug Bounty Program, earning a $1,073 bounty for their detailed and reproducible submission. This vulnerability, rated 9.8 (Critical)…
-
OttoKit – 100.000fach installiertes WordPress-Plugin hat kritische Sicherheitslücke
First seen on security-insider.de Jump to article: www.security-insider.de/sicherheitsluecken-wordpress-plugin-ottokit-a-17da0424c392a0544d63bb166967c27e/
-
Thousands of WordPress Sites at Risk Due to Critical Crawlomatic Plugin Vulnerability
A severe security vulnerability has been discovered in the popular WordPress plugin, Crawlomatic Multisite Scraper Post Generator, potentially placing thousands of websites at risk. Tracked as CVE-2025-4389, the flaw allows unauthenticated attackers to upload malicious files, which could ultimately lead to remote code execution on affected websites. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/crawlomatic-plugin-hit-by-cve-2025-4389/
-
Beware! A threat actor could steal the titles of your private (and draft) WordPress posts!
As of today, almost a billion sites have been built using WordPress, powering businesses and organizations of all sizes. That makes any newly discovered vulnerability especially concerning”, like the one recently found and reported by Imperva researchers, which could affect any WordPress site. In this blog post, we’ll explain the attack itself, the conditions that…
-
Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack
A serious security flaw affecting the Eventin plugin, a popular event management solution for WordPress, was recently discovered by Denver Jackson, a member of the Patchstack Alliance community. This vulnerability in the plugin, which boasts over 10,000 active installations, allowed any unauthenticated user to gain administrative access to the affected sites, putting them at significant…
-
Attacks with new OttoKit flaw target WordPress sites
First seen on scworld.com Jump to article: www.scworld.com/brief/attacks-with-new-ottokit-flaw-target-wordpress-sites
-
Hackers exploit OttoKit WordPress plugin flaw to add admin accounts
Hackers are exploiting a critical unauthenticated privilege escalation vulnerability in the OttoKit WordPress plugin to create rogue admin accounts on targeted sites. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-ottokit-wordpress-plugin-flaw-to-add-admin-accounts/
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 44
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape io_uring Is Back, This Time as a Rootkit I StealC You: Tracking the Rapid Changes To StealC Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin Using Trusted Protocols Against You: Gmail as a C2 Mechanism […]…
-
Malware gains persistence by mimicking WordPress security plugin
First seen on scworld.com Jump to article: www.scworld.com/brief/malware-gains-persistence-by-mimicking-wordpress-security-plugin
-
Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers
Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.The plugin, which goes by the name “WP-antymalwary-bot.php,” comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.”Pinging functionality that can report back to a command-and-control (C&C)…
-
WordPress plugin disguised as a security tool injects backdoor
A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/wordpress-plugin-disguised-as-a-security-tool-injects-backdoor/
-
Sneaky WordPress Malware Disguised as Anti-Malware Plugin
WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides… First seen on hackread.com Jump to article: hackread.com/wordpress-malware-disguised-as-anti-malware-plugin/
-
New WordPress Malware Masquerades as Plugin
New WordPress malware disguised as a plugin gives attackers persistent access and injects malicious code enabling administrative control First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/wordpress-malware-masquerades/
-
A large-scale phishing campaign targets WordPress WooCommerce users
A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor. Patchstack researchers uncovered a large-scale phishing campaign targeting WordPress WooCommerce users with a fake security alert. Threat actors urge recipients to download a >>critical patch
-
WooCommerce admins targeted by fake security patches that hijack sites
A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a “critical patch” that adds a WordPress backdoor to the site. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/woocommerce-admins-targeted-by-fake-security-patches-that-hijack-sites/
-
Over 100,000 WordPress Plugin VUlnerability Exploited Just 4 Hours After Disclosure
Over 100,000 WordPress websites have been exposed to a critical security vulnerability, following the public disclosure of a flaw in the popular SureTriggers plugin (version 1.0.78 and below) on April 10, 2025. Exploitation attempts were observed within just four hours after the vulnerability was published”, a stark reminder of the speed with which cybercriminals act.…
-
Major WordPress Plugin Flaw Exploited in Under 4 Hours
Flaw in SureTriggers plugin allows unauthenticated users to create admin accounts on WordPress sites First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/wordpress-plugin-flaw-exploited-4/
-
OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure.The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites.”The First seen on…
-
Hackers exploit WordPress plugin auth bypass hours after disclosure
Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-auth-bypass-hours-after-disclosure/
-
Rogue Account”‘Creation Flaw Leaves 100″¯K WordPress Sites Exposed
A severe vulnerability has been uncovered in the SureTriggers WordPress plugin, which could leave over 100,000 websites at risk. The issue, discovered by security researcher mikemyers, allows attackers to create rogue administrative users on sites where the plugin is not properly configured. Vulnerability Details This critical flaw, registered as CVE-2025-3102, is rooted in the plugin’s…
-
50,000+ WordPress Sites Vulnerable to Privilege Escalation Attacks
In a recent cybersecurity development, over 50,000 WordPress websites using the Uncanny Automator plugin have been identified as vulnerable to a critical privilege escalation attack. This vulnerability, discovered by security researcher mikemyers through the Wordfence Bug Bounty Program, allows authenticated attackers with subscriber-level access or higher to escalate their privileges to that of an administrator.…
-
Widespread WordPress site compromise likely with WP Ultimate CSV Importer bugs
Tags: wordpressFirst seen on scworld.com Jump to article: www.scworld.com/brief/widespread-wordpress-site-compromise-likely-with-wp-ultimate-csv-importer-bugs
-
20,000 WordPress Sites at Risk of File Upload Deletion Exploits
A critical security alert has been issued to WordPress site administrators following the discovery of two high-severity vulnerabilities in the >>WP Ultimate CSV Importer
-
WordPress attackers hide malware in overlooked plugins directory
First seen on scworld.com Jump to article: www.scworld.com/news/wordpress-attackers-hide-malware-in-overlooked-plugins-directory
-
Hackers exploit little-known WordPress MU-plugins feature to hide malware
A new security issue is putting WordPress-powered websites at risk. Hackers are abusing the “Must-Use” plugins (MU-plugins) feature to hide malicious code and maintain long-term access on hacked websites. First seen on bitdefender.com Jump to article: www.bitdefender.com/en-us/blog/hotforsecurity/hackers-exploit-little-known-wordpress-mu-plugins-feature-to-hide-malware