December 12, 2024 at 05:30AM Threat actors are exploiting vulnerabilities in the Hunk Companion and WP Query Console WordPress plugins for backdoor access to websites. The Hunk Companion flaw (CVE-2024-9707) allows unauthorized plugin installation, while WP Query Console (CVE-2024-50498) poses a remote code execution risk. Administrators should update to Hunk Companion version 1.9.0 immediately. ### … Read more
December 12, 2024 at 05:15AM A critical vulnerability (CVE-2024-11972, CVSS 9.8) in the Hunk Companion WordPress plugin allows attackers to install malicious plugins, risking Remote Code Execution and other exploits. This flaw impacts all versions prior to 1.9.0 and has over 10,000 installations. Additionally, a related vulnerability in WPForms also poses risks. ### Meeting Takeaways … Read more
December 10, 2024 at 03:00PM A vulnerability in WPForms, affecting over 3 million sites, allows subscriber users to issue unauthorized Stripe refunds or cancel subscriptions (CVE-2024-11205). A fix was released in version 1.9.2.2. Website owners are advised to upgrade or disable the plugin to prevent potential exploitation and revenue loss. ### Meeting Summary on WPForms … Read more
November 26, 2024 at 05:37AM Two severe vulnerabilities in CleanTalkâs WordPress anti-spam plugin could allow remote code execution by unauthorized attackers, affecting over 200,000 installations. Patches for these flaws were released, but as of late November, many users had not updated, leaving them at risk. Users are urged to upgrade to version 6.45 immediately. **Meeting … Read more
November 18, 2024 at 03:41PM A critical flaw in the Really Simple Security WordPress plug-in, affecting over 4 million sites, allows attackers to bypass authentication and gain administrative access. Rated 9.8 on the CVSS scale, the vulnerability has been patched in version 9.1.2. Users are urged to confirm updates to protect their sites. ### Meeting … Read more
November 17, 2024 at 11:37AM A critical vulnerability (CVE-2024-10924) in the ‘Really Simple Security’ WordPress plugin allows unauthorized access due to improper user authentication handling. Wordfence warns it enables mass exploitation, urging forced updates. The flaw affects versions 9.0.0 to 9.1.1.1, with a fix released in version 9.1.2. Users must manually update to avoid risks. … Read more
November 15, 2024 at 05:35AM A critical vulnerability in the Really Simple Security plugin affected over 4 million WordPress websites, allowing for full administrative access. This flaw poses significant security risks, potentially enabling unauthorized takeovers of affected sites. The incident highlights the importance of timely security updates and monitoring for vulnerabilities. **Meeting Takeaways:** 1. **Incident … Read more
October 31, 2024 at 12:50PM The LiteSpeed Cache plugin for WordPress fixed a high-severity privilege elevation flaw (CVE-2024-50550) enabling unauthenticated users to gain admin rights. The vulnerability stemmed from weak hash checks in the role simulation feature. A patch was released on October 17, 2024, but millions remain potentially exposed. ### Meeting Takeaways: 1. **Vulnerability … Read more
October 22, 2024 at 01:01PM Threat actors have intensified their campaign using fake browser updates to spread malware, targeting over 6,000 WordPress sites via compromised plugins. GoDaddy reports that the ClickFix variant employs social engineering tactics to deceive users, leading to malware installation. Automated processes facilitate the creation of these malicious plugins, enhancing detection challenges. … Read more
October 21, 2024 at 01:56PM WordPress sites are being compromised to introduce malicious plugins that show fake software updates and error messages, aimed at installing information-stealing malware. **Meeting Takeaways:** 1. **Security Breach Risk:** WordPress sites are currently at risk of being hacked. 2. **Malicious Plugin Installation:** Hackers are installing malicious plugins on affected WordPress sites. … Read more