WordPress

  • Blog
    digitpatrox6 days ago
    30

    WordPress plugin disguised as a security tool injects backdoor

    A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. According to Wordfence researchers, the malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection. Wordfence first discovered the malware…

    Read More »
  • Blog
    digitpatrox2 weeks ago
    57

    WordPress ad-fraud plugins generated 1.4 billion ad requests per day

    A large-scale ad fraud operation called ‘Scallywag’ is monetizing pirating and URL shortening sites through specially crafted WordPress plugins that generate billions of daily fraudulent requests. Scallywag was uncovered by bot and fraud detection firm HUMAN, which mapped a network of 407 domains supporting the operation that peaked at 1.4 billion fraudulent ad requests per day. HUMAN’s efforts to block…

    Read More »
  • Blog
    digitpatrox4 weeks ago
    47

    Hackers exploit WordPress plugin auth bypass hours after disclosure

    Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure. Users are strongly recommended to upgrade to the latest version of OttoKit/SureTriggers, currently 1.0.79, released at the beginning of the month. The OttoKit WordPress plugin allows users to connect plugins and external tools like WooCommerce, Mailchimp, and Google Sheets,…

    Read More »
  • Blog
    digitpatroxMarch 20, 2025
    50

    Malware campaign ‘DollyWay’ breached 20,000 WordPress sites

    A malware operation dubbed ‘DollyWay’ has been underway since 2016, compromising over 20,000 WordPress sites globally to redirect users to malicious sites. The campaign has evolved significantly in the past eight years, leveraging advanced evasion, re-infection, and monetization strategies. According to GoDaddy researcher Denis Sinegubko, DollyWay has been functioning as a large-scale scam redirection system in its latest version (v3). However, in…

    Read More »
  • Blog
    digitpatroxJanuary 23, 2025
    85

    Critical zero-days impact premium WordPress real estate plugins

    The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. Although the two flaws were discovered in September 2024 by Patchstack, and multiple attempts were made to contact the vendor (InspiryThemes), the researchers say they have not received a response. Also, Patchstack says the…

    Read More »
  • Blog
    digitpatroxJanuary 17, 2025
    85

    W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks

    A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps. The W3 Total Cache plugin uses multiple caching techniques to optimize a website’s speed, reduce load times, and generally improve its SEO ranking. The flaw is tracked as CVE-2024-12365 despite the developer releasing…

    Read More »
  • Blog
    digitpatroxJanuary 14, 2025
    309

    WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites

    A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. Researchers at webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector. After compromising a…

    Read More »
  • Blog
    digitpatroxJanuary 11, 2025
    398

    WordPress developer hours cutback may or may not slow innovation – Computerworld

    “Automatticians who contributed to core will instead focus on for-profit projects within Automattic, such as WordPress.com, Pressable, WPVIP, Jetpack, and WooCommerce,” the statement said. “As part of this reset, Automattic will match its volunteering pledge to those made by WP Engine and other players in the ecosystem, or about 45 hours a week that qualify under the Five For the…

    Read More »
  • Blog
    digitpatroxJanuary 9, 2025
    138

    Unpatched critical flaws impact Fancy Product Designer WordPress plugin

    Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the plugin, Patchstack’s Rafie Muhammad discovered…

    Read More »
  • Blog
    digitpatroxDecember 23, 2024
    116

    Premium WPLMS WordPress plugins address seven critical flaws

    Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management system (LMS) for WordPress, used…

    Read More »
Load More
Back to top button
close