Wordpress

Pierluigi Paganini June 30, 2023
miniOrange’s WordPress Social Login and Register plugin was affected by a critical auth bypass bug

A critical authentication bypass flaw in miniOrange’s WordPress Social Login and Register plugin, can allow gaining access to any account on a site. Wordfence researchers discovered an authentication bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, that can allow an unauthenticated attacker to gain access to any account on a site by knowing the associated email […]

Pierluigi Paganini June 14, 2023
Unveiling the Balada injector: a malware epidemic in WordPress

Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion. A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions. In April 2023, Bleeping […]

Pierluigi Paganini May 12, 2023
A flaw in the Essential ‘Addons for Elementor’ WordPress plugin poses 1M sites at risk of hacking

Experts warn of an unauthenticated privilege escalation flaw in the popular Essential ‘Addons for Elementor’ WordPress plugin. Essential ‘Addons for Elementor’ WordPress plugin is a collection of 90+ creative elements and extensions Enhance that allow admins to enhance Elementor page building experience. The plugin has more than one million active installations. Researchers from PatchStack discovered that […]

Pierluigi Paganini May 06, 2023
WordPress Advanced Custom Fields plugin XSS exposes +2M sites to attacks

A reflected cross-site scripting vulnerability is the Advanced Custom Fields plugin for WordPress exposed over 2 million sites to hacking. Assetnote researchers discovered a reflected cross-site scripting vulnerability, tracked as CVE-2023-29489 (CVSS score: 6.1), in the Advanced Custom Fields plugin for WordPress. The ACF field builder allows users to quickly and easily add fields to […]

Pierluigi Paganini April 22, 2023
Abandoned Eval PHP WordPress plugin abused to backdoor websites

Threat actors were observed installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. Researchers from Sucuri warned that threat actors are installing the abandoned Eval PHP plugin on compromised WordPress sites for backdoor deployment. The Eval PHP plugin allows PHP code to be inserted into the pages and posts of WordPress […]

Pierluigi Paganini March 24, 2023
Critical flaw in WooCommerce Payments plugin allows site takeover

A patch for a critical vulnerability in the WooCommerce Payments plugin for WordPress has been released for over 500,000 websites. On March 23, 2023, researchers from Wordfence observed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2. The WooCommerce Payments plugin is a fully integrated […]

Pierluigi Paganini February 15, 2023
AdSense fraud campaign relies on 10,890 sites that were infected since September 2022

The threat actors behind a massive AdSense fraud campaign infected 10,890 WordPress sites since September 2022. In November 2022, researchers from security firm Sucuri reported to have tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. The experts were tracking the campaign since September 2022, the campaign’s end goal was black […]

Pierluigi Paganini December 25, 2022
Experts warn of attacks exploiting WordPress gift card plugin

Threat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to […]

Pierluigi Paganini November 14, 2022
Massive Black hat SEO campaign used +15K WordPress sites

Experts warn of a malicious SEO campaign that has compromised over 15,000 WordPress websites to redirect visitors to fake Q&A portals. Since September 2022, researchers from security firm Sucuri have tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. The campaign’s end goal appears to be black hat SEO aimed at […]

Pierluigi Paganini September 14, 2022
Threat actors are actively exploiting a zero-day in WPGateway WordPress plugin

Threat actors are actively exploiting a zero-day vulnerability in the WPGateway premium plugin to target WordPress websites. The Wordfence Threat Intelligence team reported that threat actors are actively exploiting a zero-day vulnerability (CVE-2022-3180) in the WPGateway premium plugin in attacks aimed at WordPress sites. The WPGateway plugin is a premium plugin that allows users of […]