Hunk Companion, WP Query Console Vulnerabilities Chained to Hack WordPress Sites

December 12, 2024 at 05:30AM Threat actors are exploiting vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins for backdoor access to websites. The Hunk Companion flaw (CVE-2024-9707) allows unauthorized plugin installation, while WP Query Console (CVE-2024-50498) poses a remote code execution risk. Administrators should update to Hunk Companion version 1.9.0 immediately. ### … Read more

Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks

November 26, 2024 at 08:42AM Two critical vulnerabilities (CVE-2024-10542 and CVE-2024-10781) in WordPress’s CleanTalk plugin could enable attackers to install malicious plugins, potentially leading to remote code execution. With a CVSS score of 9.8, users are urged to update to versions 6.44 or 6.45 to mitigate risks against unauthorized access. **Meeting Takeaways: Vulnerability / Website … Read more

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

November 17, 2024 at 11:57PM A critical authentication bypass vulnerability (CVE-2024-10924) in the Really Simple Security plugin for WordPress could allow attackers to gain full admin access. Affecting over 4 million sites, the vulnerability has been patched in version 9.1.2 after responsible disclosure. Similar vulnerabilities were also found in WPLMS Learning Management System. ### Meeting … Read more

LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

October 31, 2024 at 06:32AM A critical unauthenticated privilege escalation vulnerability (CVE-2024-50550) has been discovered in the LiteSpeed Cache plugin for WordPress, allowing unauthorized users to gain admin access. The flaw has been patched in version 6.5.2. Users are urged to stay informed on plugin updates due to ongoing WordPress repository changes. ### Meeting Takeaways … Read more

Jetpack fixes critical information disclosure flaw existing since 2016

October 14, 2024 at 03:37PM Jetpack, a popular WordPress plugin, released a critical update to fix a vulnerability allowing logged-in users to access submitted forms from other visitors. The flaw affects all versions since 3.9.9, with fixes available for 101 versions. Users are urged to upgrade immediately, though no exploitation evidence has been found. ### … Read more

Cisco merch shoppers stung in Magecart attack

September 6, 2024 at 04:06PM Russia-based attackers injected data-stealing JavaScript into Cisco’s online store, exploiting an Adobe Magento flaw. Cisco has fixed the issue and addressed the security concern, assuring that only a limited number of users were affected and no credentials were compromised. The attackers exploited a critical vulnerability, and the malicious JS code … Read more

LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

September 6, 2024 at 06:30AM A critical vulnerability, CVE-2024-44000, was discovered in the LiteSpeed Cache plugin for WordPress, allowing attackers to potentially take over websites by retrieving and using stored user cookies. The flaw was identified and reported by Patchstack, who emphasized the importance of securing the debug log process. The issue was resolved with … Read more

Exploitation Expected for Flaw in Caching Plugin Installed on 5M WordPress Sites

August 22, 2024 at 06:21AM A critical security vulnerability in the Litespeed Cache plugin, affecting more than 5 million WordPress websites, allows unauthenticated attackers to gain administrator privileges. The bug bounty program of Patchstack disclosed this vulnerability, leading to a $14,400 reward for the researcher. Although a fix has been issued, around 2 million websites … Read more

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

August 22, 2024 at 02:00AM A critical security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-28000, CVSS score: 9.8) could allow unauthenticated users to gain administrator privileges. It has been patched in version 6.4 released on August 13, 2024. This vulnerability underscores the importance of strong and unpredictable security hashes or nonces in web … Read more

Litespeed Cache bug exposes millions of WordPress sites to takeover attacks

August 21, 2024 at 01:27PM A critical vulnerability in the LiteSpeed Cache WordPress plugin allows attackers to create rogue admin accounts, potentially compromising millions of websites. Based on the meeting notes, it appears that a critical vulnerability has been identified in the LiteSpeed Cache WordPress plugin, which could potentially allow attackers to take over millions … Read more