December 12, 2023 at 09:30AM Two popular WordPress plugins, Elementor and Backup Migration, have been found to have critical remote code execution (RCE) vulnerabilities, affecting over 5 million users. Elementor’s RCE flaw was due to an authenticated arbitrary file upload issue, while Backup Migration’s CVE-2023-6553 vulnerability was exploited to include malicious PHP code. Updated versions … Read more
December 11, 2023 at 05:48PM A critical security flaw in the WordPress Backup Migration plugin (CVE-2023-6553) allows unauthenticated attackers to remotely execute PHP code, compromising vulnerable websites. The bug, rated 9.8/10 in severity, was quickly patched after being reported to BackupBliss. However, many websites remain vulnerable, and WordPress admins are urged to take immediate action … Read more
December 8, 2023 at 04:48AM WordPress version 6.4.2 patches a critical security flaw potentially exploitable with plugins, particularly in multisite setups. The vulnerability stems from the WP_HTML_Token class and can lead to arbitrary PHP code execution when chained with other bugs. Patchstack advises developers to replace ‘unserialize’ function calls to prevent attacks. Takeaways from the … Read more
December 7, 2023 at 03:17PM WordPress version 6.4.2 fixes a critical RCE vulnerability, exploitable via a flaw in plugins or themes. Although the core issue isn’t critical alone, it can lead to arbitrary PHP code execution when combined with other vulnerabilities, particularly on multisite installations. Users are advised to manually verify their WordPress update. Meeting … Read more
December 5, 2023 at 11:21AM Cybercriminals are circulating a bogus WordPress security email, claiming to resolve a fake RCE vulnerability with a “patch” that is actually a backdoor for site hijacking. No infections are reported yet, but users are urged not to install the offered plugin and to be wary of phishing attempts. Meeting Takeaways: … Read more
December 4, 2023 at 12:19PM WordPress security experts are warning of phishing emails with fake security advisories asking admins to install a malicious plugin, which creates a hidden user and downloads a backdoor to the site, potentially for injecting ads, stealing data, or blackmail. Users are urged to be cautious. **Key Takeaways from Meeting Notes … Read more
October 16, 2023 at 01:12AM Threat actors are using Binance’s Smart Chain (BSC) contracts to host and deliver malicious code, making it difficult to detect and stop their attacks. The campaign, known as EtherHiding, leverages compromised WordPress sites to deceive users into downloading malware through fake browser update notices. The decentralized nature of blockchain makes … Read more