May 28, 2024 at 02:45AM Unknown threat actors are exploiting WordPress’s Dessky Snippets plugin, with over 200 active installations, to insert PHP credit card skimming malware into compromised sites. The malware manipulates WooCommerce’s checkout process to steal credit card details, exfiltrating them to a specific URL. This underscores the need for WordPress site owners, especially … Read more
April 26, 2024 at 06:12AM Threat actors are exploiting a critical-severity vulnerability (CVE-2024-27956, CVSS score 9.8) in WordPress Automatic plugin, allowing them to inject malicious code, gain admin privileges, create new accounts, and maintain access to compromised sites. Over 5 million exploit attempts have been seen. Users are advised to update to version 3.92.1 to … Read more
April 26, 2024 at 02:42AM Threat actors are actively exploiting a critical security flaw (CVE-2024-27956) in WP‑Automatic plugin for WordPress, posing high risk. Exploitation can lead to unauthorized access, admin account creation, file uploads, and site control. Over 5.5M attack attempts detected, alongside other plugin vulnerabilities (e.g., CVE-2024-2876, CVE-2024-28890, CVE-2024-2417, CVE-2024-32514). Stay updated for more … Read more
April 20, 2024 at 05:07PM The popular Forminator WordPress plugin, utilized on over 500,000 sites, is susceptible to a critical vulnerability allowing malicious file uploads to servers. This flaw, detailed by Japan’s CERT, includes potential for sensitive data access, site alteration, and a denial-of-service condition. Site admins are cautioned to promptly update to version 1.29.3 … Read more
April 3, 2024 at 02:28PM LayerSlider, a popular WordPress plugin with over one million users, has been found to be vulnerable to unauthenticated SQL injection, allowing attackers to extract sensitive data from websites. Researcher AmrAwad received a $5,500 bounty for reporting this critical flaw, which has been addressed by the release of version 7.10.1, requiring … Read more
April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more
March 29, 2024 at 10:36AM Summary: SecurityWeek’s roundup compiles this week’s cybersecurity stories, including US airlines facing privacy reviews, HHS cyberattack investigation, analysis of phishing kits like Tycoon and Darcula, MFA bombing attacks on Apple users, continued investigation into Chinese hacking of Finland’s parliament, and revelations about abandoned WordPress plugins. Other topics include the SEC’s … Read more
March 22, 2024 at 09:54AM Security firm Sucuri warns that over 39,000 websites have been infected with new malware called Sign1, which redirects visitors to scam domains and displays unwanted ads. The JavaScript-based malware is injected into compromised websites, hidden with obfuscation, and conditionally executed based on specific visitor and website conditions. The firm has … Read more
March 18, 2024 at 05:57AM WordPress users are advised to delete miniOrange’s Malware Scanner and Web Application Firewall plugins due to a critical security flaw, with a high CVSS score of 9.8. The flaw allows unauthenticated attackers to gain administrative privileges, leading to potential compromise of the site. Another privilege escalation flaw was found in … Read more
March 15, 2024 at 08:15AM Thousands of WordPress websites are at risk due to critical vulnerabilities in two MiniOrange plugins, Malware Scanner and Web Application Firewall. The flaw allows unauthorized users to gain administrative privileges and take control of a site. Similarly, another high-severity vulnerability was found in the RegistrationMagic plugin, enabling unauthorized users to … Read more