Top

Tag: WordPress


Cyber-crime, Malware

More than 17,000 WordPress websites infected with the Balada Injector in September

October 13, 2023

Via: Security Affairs

Sucuri researchers reported that more than 17,000 WordPress websites have been compromised in September with the Balada Injector. The researchers noticed that the number of Balada Injector infections has doubled compared with August. The Balada injector is a malware family […]


Network security, Security

Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable

July 31, 2023

Via: The Hacker News

Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data. The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, […]


Threats & Malware, Vulnerabilities

Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites

July 18, 2023

Via: The Hacker News

Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables […]


Network security, Security

Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam

July 3, 2023

Via: The Hacker News

Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can […]


Threats & Malware, Vulnerabilities

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts

June 29, 2023

Via: The Hacker News

A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: […]


Network security, Security

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

June 22, 2023

Via: The Hacker News

A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites. “This vulnerability makes it possible for an attacker to gain access to the accounts of users who […]


Threats & Malware, Vulnerabilities

New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

May 12, 2023

Via: The Hacker News

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in […]


Cyber-crime, Malware

Over 1 Million WordPress Sites Infected by Balada Injector Malware Campaign

April 10, 2023

Via: The Hacker News

Over one million WordPress websites are estimated to have been infected by an ongoing campaign to deploy malware called Balada Injector since 2017. The massive campaign, per GoDaddy’s Sucuri, “leverages all known and recently discovered theme and plugin vulnerabilities” to […]


Threats & Malware, Vulnerabilities

Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites

March 24, 2023

Via: The Hacker News

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted […]


Network security, Threats & Malware, Virus & Malware

Massive AdSense Fraud Campaign Uncovered – 10,000+ WordPress Sites Infected

February 14, 2023

Via: The Hacker News

The threat actors behind the black hat redirect malware campaign have scaled up their campaign to use more than 70 bogus domains mimicking URL shorteners and infect over 10,800 websites. “The main objective is still ad fraud by artificially increasing […]


Threats & Malware, Vulnerabilities

Thousands of WordPress sites hit by gift card plugin flaw

December 27, 2022

Via: TechRadar

Thousands of WordPress websites were found using a vulnerability add-on that allows threat actors to take over the site entirely. Researchers uncovered a critical flaw in YITH WooCommerce Gift Cards Premium, an add-on for the website builder providing an interface […]


Threats & Malware, Vulnerabilities

WordPress Security Update 6.0.3 Patches 16 Vulnerabilities

October 19, 2022

Via: Security Week

WordPress 6.0.3 fixes nine stored and reflected cross-site scripting (XSS) vulnerabilities, as well as open redirect, data exposure, cross-site request forgery (CSRF), and SQL injection flaws. WordPress security company Defiant has shared a description of each vulnerability. Four of them […]


Cyber-crime, Malware

Fake DDoS protection pages are delivering malware!

August 22, 2022

Via: Help Net Security

Malware peddlers are exploiting users’ familiarity with and inherent trust in DDoS protection pages to make them download and run malware on their computer, Sucuri researchers have warned. Hidden malware and fake DDoS protection DDoS protection pages have become so […]


Threats & Malware, Vulnerabilities

Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability

June 17, 2022

Via: The Hacker News

WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that’s suspected of having been actively exploited in the wild. The issue, which relates to a case of code injection, […]


Access control, Security

Account pre-hijacking attacks possible on many online services

May 24, 2022

Via: Help Net Security

Online accounts getting hijacked and misused is an everyday occurrence, but did you know that account pre-hijacking attacks are also possible? Inspired by previous research on preemptive account hijacking by way of single sign-on (SSO) technology, researchers Avinash Sudhodanan and […]


Threats & Malware, Vulnerabilities

Large-Scale Attack Targeting Tatsu Builder WordPress Plugin

May 18, 2022

Via: Security Week

Tracked as CVE-2021-25094 (CVSS score of 8.1), the vulnerability exists because one of the supported actions does not require authentication when uploading a zip file that is extracted under the WordPress upload directory. While the plugin includes an extension control, […]


Threats & Malware, Vulnerabilities

WordPress 5.8.3 Patches Several Injection Vulnerabilities

January 10, 2022

Via: Security Week

Two of the flaws are SQL injections — one affects WP_Meta_Query (discovered by Ben Bidner of the WordPress security team) and one affects WP_Query (discovered by ngocnb and khuyenn of GiaoHangTietKiem JSC). Simon Scannell of SonarSource reported an object injection […]


Threats & Malware, Vulnerabilities

1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses

December 10, 2021

Via: The Hacker News

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which disclosed details of […]


Cyber-crime, Phishing

Small businesses urged to protect their customers from card skimming

November 23, 2021

Via: Help Net Security

With Black Friday and Cyber Monday quickly approaching, the UK National Cyber Security Centre (NCSC) is urging small online shops to protect their customers from card skimming cyber criminals. As part of NCSC’s Active Cyber Defence programme, the organization has […]


Threats & Malware, Virus & Malware

New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin

September 21, 2021

Via: The Hacker News

A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency. “The malware’s primary tactic […]