WordPress
-
Blog
Unpatched critical flaws impact Fancy Product Designer WordPress plugin
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size. While examining the plugin, Patchstack’s Rafie Muhammad discovered…
Read More » -
Blog
Premium WPLMS WordPress plugins address seven critical flaws
Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management system (LMS) for WordPress, used…
Read More » -
Blog
390,000 WordPress accounts stolen from hackers in supply chain attack
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. Researchers at Datadog Security Labs, who spotted the attacks, say that SSH private keys and AWS access keys were also stolen from the compromised systems of hundreds of other victims, believed to include…
Read More » -
Blog
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin…
Read More » -
Blog
Federal judge slaps down Automattic, granting temporary injunction to WP Engine in ongoing WordPress squabble – Computerworld
One open source executive read the judge’s decision and said he was concerned that the ruling might have come too late to halt the damage done to the open source community. “WP Engine wins a battle, but everyone continues to lose the war. WP Engine has had (about a) 15% increase in cancellations in the last few months, and 159…
Read More » -
Blog
/cdn.vox-cdn.com/uploads/chorus_asset/file/25654314/STK302_WORDPRESS_C.jpg)
WordPress parent company must stop blocking WP Engine, judge rules
WP Engine just won a preliminary injunction against WordPress.com parent company Automattic. On Tuesday, a California District Court judge ordered Automattic to stop blocking WP Engine’s access to WordPress.org resources and interfering with its plugins. Judge Araceli Martínez-Olguín found merit in WP Engine’s claims that Automattic’s actions harmed business relationships, saying Mullenweg’s “conduct is designed to induce breach or disruption.”…
Read More » -
Blog
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly easy in most cases. The…
Read More » -
Blog
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin ‘Really Simple Security’ (formerly ‘Really Simple SSL’), including both free and Pro versions. Really Simple Security is a security plugin for the WordPress platform, offering SSL configuration, login protection, a two-factor authentication layer, and real-time vulnerability detection. Its free version alone is used in over four million websites. Wordfence,…
Read More » -
Blog
Pay Once, Host Forever with HostVerge WordPress Hosting for $40
TL;DR: Get lifetime access to fast, secure WordPress hosting with HostVerge’s Starter Plan for just $39.99 (reg. $99) — no monthly fees, unlimited storage, and expert support. Looking for a fast, reliable, and secure hosting solution for your WordPress site without the headache of monthly fees? HostVerge offers the WordPress Hosting Lifetime Starter Plan for just $39.99 (reg. $99). With…
Read More » -
Blog
Over 6,000 WordPress hacked to install plugins pushing infostealers
WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware. Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data. Since 2023, a malicious campaign called ClearFake has been used to display fake web browser…
Read More »