WordPress
-
Blog
W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks
A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps. The W3 Total Cache plugin uses multiple caching techniques to optimize a website’s speed, reduce load times, and generally improve its SEO ranking. The flaw is tracked as CVE-2024-12365 despite the developer releasing…
Read More » -
Blog
WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites
A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. Researchers at webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial infection vector. After compromising a…
Read More » -
Blog
WordPress developer hours cutback may or may not slow innovation – Computerworld
“Automatticians who contributed to core will instead focus on for-profit projects within Automattic, such as WordPress.com, Pressable, WPVIP, Jetpack, and WooCommerce,” the statement said. “As part of this reset, Automattic will match its volunteering pledge to those made by WP Engine and other players in the ecosystem, or about 45 hours a week that qualify under the Five For the…
Read More » -
Blog
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the plugin, Patchstack’s Rafie Muhammad discovered…
Read More » -
Blog
Premium WPLMS WordPress plugins address seven critical flaws
Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management system (LMS) for WordPress, used…
Read More » -
Blog
390,000 WordPress accounts stolen from hackers in supply chain attack
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include…
Read More » -
Blog
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin…
Read More » -
Blog
Federal judge slaps down Automattic, granting temporary injunction to WP Engine in ongoing WordPress squabble – Computerworld
One open source executive read the judge’s decision and said he was concerned that the ruling might have come too late to halt the damage done to the open source community. “WP Engine wins a battle, but everyone continues to lose the war. WP Engine has had (about a) 15% increase in cancellations in the last few months, and 159…
Read More » -
Blog
/cdn.vox-cdn.com/uploads/chorus_asset/file/25654314/STK302_WORDPRESS_C.jpg)
WordPress parent company must stop blocking WP Engine, judge rules
WP Engine just won a preliminary injunction against WordPress.com parent company Automattic. On Tuesday, a California District Court judge ordered Automattic to stop blocking WP Engine’s access to WordPress.org resources and interfering with its plugins. Judge Araceli Martínez-Olguín found merit in WP Engine’s claims that Automattic’s actions harmed business relationships, saying Mullenweg’s “conduct is designed to induce breach or disruption.”…
Read More » -
Blog
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly easy in most cases. The…
Read More »