July 23, 2024 at 06:28AM Threat actors use sneaky techniques like swap files to conceal credit card skimmer malware in compromised websites. The skimmer captures payment information and exfiltrates it to an attacker-controlled domain. These actors also use defense evasion methods like malicious plugins and compromised administrator accounts. Site owners are advised on security measures … Read more
July 9, 2024 at 01:22PM Hackers are exploiting a vulnerability in the Modern Events Calendar WordPress plugin, affecting over 150,000 websites. The vulnerability, CVE-2024-5441, allows remote code execution and complete website takeover. A fix in version 7.12.0 has been released, but ongoing attacks are reported, prompting users to upgrade immediately or disable the plugin. Based … Read more
June 25, 2024 at 12:53PM Multiple plug-ins on WordPress.org were compromised by threat actors, injecting malicious code aimed at granting attackers administrative privileges and enabling further malicious activity. The affected plug-ins, including the popular Social Warfare, have been delisted and are unavailable for download, with a recommendation to remove them immediately and perform a complete … Read more
June 25, 2024 at 12:03AM Several WordPress plugins have been compromised and backdoored to inject malicious code, allowing creation of rogue administrator accounts and unauthorized actions on affected websites. The injected malware aims to create new admin accounts and inject malicious JavaScript for SEO spam. Users are advised to check for suspicious accounts and malicious … Read more
April 3, 2024 at 02:28PM LayerSlider, a popular WordPress plugin with over one million users, has been found to be vulnerable to unauthenticated SQL injection, allowing attackers to extract sensitive data from websites. Researcher AmrAwad received a $5,500 bounty for reporting this critical flaw, which has been addressed by the release of version 7.10.1, requiring … Read more
April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more
April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more
March 18, 2024 at 05:57AM WordPress users are advised to delete miniOrange’s Malware Scanner and Web Application Firewall plugins due to a critical security flaw, with a high CVSS score of 9.8. The flaw allows unauthenticated attackers to gain administrative privileges, leading to potential compromise of the site. Another privilege escalation flaw was found in … Read more
March 12, 2024 at 05:21AM A new malware campaign targets WordPress sites using Popup Builder plugin, infiltrating over 3,900 sites. It exploits CVE-2023-6000 to create rogue admin users and install harmful plugins. WordPress owners are urged to update plugins and scan for malicious code. Additionally, a high-severity bug in Ultimate Member plugin was disclosed, posing … Read more
March 11, 2024 at 11:15AM High-severity vulnerability in Ultimate Member plugin (CVE-2024-2123) enables injection of malicious scripts into WordPress sites. Insufficient input sanitization and output escaping in the plugin’s members directory list functionality allow unauthenticated attackers to inject web scripts and potentially gain administrative user access. Patch released on March 6, impacting versions 2.8.3 and … Read more