WPForms bug allows Stripe refunds on millions of WordPress sites

December 10, 2024 at 03:00PM A vulnerability in WPForms, affecting over 3 million sites, allows subscriber users to issue unauthorized Stripe refunds or cancel subscriptions (CVE-2024-11205). A fix was released in version 1.9.2.2. Website owners are advised to upgrade or disable the plugin to prevent potential exploitation and revenue loss. ### Meeting Summary on WPForms … Read more

Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

November 26, 2024 at 05:37AM Two severe vulnerabilities in CleanTalk’s WordPress anti-spam plugin could allow remote code execution by unauthorized attackers, affecting over 200,000 installations. Patches for these flaws were released, but as of late November, many users had not updated, leaving them at risk. Users are urged to upgrade to version 6.45 immediately. **Meeting … Read more

Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

November 15, 2024 at 05:35AM A critical vulnerability in the Really Simple Security plugin affected over 4 million WordPress websites, allowing for full administrative access. This flaw poses significant security risks, potentially enabling unauthorized takeovers of affected sites. The incident highlights the importance of timely security updates and monitoring for vulnerabilities. **Meeting Takeaways:** 1. **Incident … Read more

LiteSpeed Cache WordPress plugin bug lets hackers get admin access

October 31, 2024 at 12:50PM The LiteSpeed Cache plugin for WordPress fixed a high-severity privilege elevation flaw (CVE-2024-50550) enabling unauthenticated users to gain admin rights. The vulnerability stemmed from weak hash checks in the role simulation feature. A patch was released on October 17, 2024, but millions remain potentially exposed. ### Meeting Takeaways: 1. **Vulnerability … Read more

WordPress Plugin Jetpack Patches Major Vulnerability Affecting 27 Million Sites

October 15, 2024 at 01:00AM Jetpack has released a security update to fix a critical vulnerability allowing logged-in users to access submitted forms on WordPress sites. The flaw, identified in an internal audit, affects versions since 2016. Jetpack collaborated with WordPress.org to ensure automatic updates. Meanwhile, WP Engine disputes WordPress’s control over its plugins. ### … Read more

LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

September 6, 2024 at 06:30AM A critical vulnerability, CVE-2024-44000, was discovered in the LiteSpeed Cache plugin for WordPress, allowing attackers to potentially take over websites by retrieving and using stored user cookies. The flaw was identified and reported by Patchstack, who emphasized the importance of securing the debug log process. The issue was resolved with … Read more

Malware infiltrates Pidgin messenger’s official plugin repository

August 27, 2024 at 01:30PM Pidgin messaging app removed the ScreenShareOTR plugin from its official third-party plugin list due to security concerns. The plugin was found to be used for installing keyloggers, information stealers, and malware commonly used to breach corporate networks. Based on the meeting notes, it seems that the Pidgin messaging app removed … Read more

Plugins on WordPress.org backdoored in supply chain attack

June 25, 2024 at 03:32PM Threat actor altered WordPress plugins on WordPress.org to insert malicious code, creating new admin accounts and injecting SEO spam. Wordfence discovered the breach and notified developers, resulting in patches for most affected products. The compromised plugins include Social Warfare, Blaze Widget, Wrapper Link Element, Contact Form 7 Multi-Step Addon, and … Read more

Several Plugins Compromised in WordPress Supply Chain Attack 

June 25, 2024 at 08:48AM Malicious code inserted into five WordPress plugins created new admin accounts, reported Defiant. Social Warfare versions 4.4.6.4 to 4.4.7.1 have the code and users should update to 4.4.7.3. Four other plugins are affected. The attacker sends admin details to their server and adds SEO spam to sites. The plugins are … Read more

Critical WordPress Automatic Plugin Vulnerability Exploited to Inject Backdoors

April 26, 2024 at 06:12AM Threat actors are exploiting a critical-severity vulnerability (CVE-2024-27956, CVSS score 9.8) in WordPress Automatic plugin, allowing them to inject malicious code, gain admin privileges, create new accounts, and maintain access to compromised sites. Over 5 million exploit attempts have been seen. Users are advised to update to version 3.92.1 to … Read more