August 22, 2024 at 06:21AM A critical security vulnerability in the Litespeed Cache plugin, affecting more than 5 million WordPress websites, allows unauthenticated attackers to gain administrator privileges. The bug bounty program of Patchstack disclosed this vulnerability, leading to a $14,400 reward for the researcher. Although a fix has been issued, around 2 million websites … Read more
August 20, 2024 at 11:06AM A critical vulnerability in the GiveWP WordPress plugin (CVE-2024-5932, CVSS score 10/10) exposed over 100,000 websites, allowing unauthenticated attackers to execute arbitrary remote code or delete files. Exploiting a bug in serialization, attackers could potentially take over affected sites, which has been addressed in version 3.14.2 and users are urged … Read more
May 7, 2024 at 05:48PM Hackers are exploiting vulnerabilities in outdated LiteSpeed Cache and Email Subscribers plugins for WordPress, creating rogue admin users and compromising sites. An unauthenticated cross-site scripting flaw, CVE-2023-40000, affects LiteSpeed Cache versions older than 5.7.0.1, while Email Subscribers plugin versions 5.7.14 and older are vulnerable to a critical SQL injection flaw, … Read more
February 15, 2024 at 10:03AM Security researchers discovered new malware known as TinyTurla-NG and TurlaPower-NG, being used by the Russian hacker group Turla. The group exploits vulnerable WordPress websites for command and control purposes. Targeting organizations across various sectors, they aim to steal sensitive data using custom tools and malware. The malware’s purpose is to … Read more
February 15, 2024 at 09:56AM Security researchers have discovered new malware called TinyTurla-NG and TurlaPower-NG, utilized by the Russian hacker group Turla for network access and data theft. Turla exploits vulnerable WordPress websites for command and control, targeting organizations across various sectors. The malware’s backdoor functionality and data exfiltration methods were detailed in a report … Read more
January 17, 2024 at 11:04AM Over 6,700 WordPress sites were infected with the Balada Injector malware through a vulnerable Popup Builder plug-in, exploiting a cross-site scripting vulnerability (CVE-2023-6000). This long-running campaign has compromised over 1 million WordPress sites. Security experts advise implementing integrity monitoring and conducting routine updates to mitigate these threats. Based on the … Read more
December 11, 2023 at 05:48PM A critical security flaw in the WordPress Backup Migration plugin (CVE-2023-6553) allows unauthenticated attackers to remotely execute PHP code, compromising vulnerable websites. The bug, rated 9.8/10 in severity, was quickly patched after being reported to BackupBliss. However, many websites remain vulnerable, and WordPress admins are urged to take immediate action … Read more