WordPress
-
Blog
390,000 WordPress accounts stolen from hackers in supply chain attack
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include…
Read More » -
Blog
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin…
Read More » -
Blog
Federal judge slaps down Automattic, granting temporary injunction to WP Engine in ongoing WordPress squabble – Computerworld
One open source executive read the judge’s decision and said he was concerned that the ruling might have come too late to halt the damage done to the open source community. “WP Engine wins a battle, but everyone continues to lose the war. WP Engine has had (about a) 15% increase in cancellations in the last few months, and 159…
Read More » -
Blog
/cdn.vox-cdn.com/uploads/chorus_asset/file/25654314/STK302_WORDPRESS_C.jpg)
WordPress parent company must stop blocking WP Engine, judge rules
WP Engine just won a preliminary injunction against WordPress.com parent company Automattic. On Tuesday, a California District Court judge ordered Automattic to stop blocking WP Engine’s access to WordPress.org resources and interfering with its plugins. Judge Araceli Martínez-Olguín found merit in WP Engine’s claims that Automattic’s actions harmed business relationships, saying Mullenweg’s “conduct is designed to induce breach or disruption.”…
Read More » -
Blog
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly easy in most cases. The…
Read More » -
Blog
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions. Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites. Wordfence,…
Read More » -
Blog
Pay Once, Host Forever with HostVerge WordPress Hosting for $40
TL;DR: Get lifetime access to fast, secure WordPress hosting with HostVerge’s Starter Plan for just $39.99 (reg. $99) — no monthly fees, unlimited storage, and expert support. Looking for a fast, reliable, and secure hosting solution for your WordPress site without the headache of monthly fees? HostVerge offers the WordPress Hosting Lifetime Starter Plan for just $39.99 (reg. $99). With…
Read More » -
Blog
Over 6,000 WordPress hacked to install plugins pushing infostealers
WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware. Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data. Since 2023, a malicious campaign called ClearFake has been used to display fake web browser…
Read More » -
Blog
About that brawl between the WordPress co-founder and WP Engine… – Computerworld
That appears to be the case here, too. WordPress can’t try the relicensing move. It’s licensed under the General Public License version 2 (GPLv2), This license is both irrevocable and requires any derived work to be licensed under the same license. What Mullenweg can and is doing, though, is trying to shake down WP Engine for more money. As my fellow journalist Matthew…
Read More » -
Blog
/cdn.vox-cdn.com/uploads/chorus_asset/file/25654321/STK302_WORDPRESS.jpg)
The latest on the WordPress fight over trademarks and open source
Over the past several weeks, WordPress cofounder Matt Mullenweg has made one thing exceedingly clear: he’s in charge of WordPress’ future. Mullenweg heads up WordPress.com and its parent company, Automattic. He owns the WordPress.org project, and he even leads the nonprofit foundation that controls the WordPress trademark. To the outside observer, these might appear to be independent organizations, all separately…
Read More »