Category: WordPress
-
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks
Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks A critical vulnerability in a widely used WordPress plugin has exposed over 200,000 websites to full account takeover, raising urgent concerns across the security community. Discovered on May 8, 2026, by Wordfence’s AI-powered PRISM threat intelligence platform, the flaw affects the Burst Statistics plugin, a…
-
50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability
50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover. Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires…
-
Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID
Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg – involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous…
-
Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users
Attackers Hijacking Legitimate Websites to Attack Microsoft Teams users A multi-vector phishing campaign using compromised WordPress sites to steal login credentials from Microsoft Teams and Xfinity users. By hijacking these trusted sites, attackers can bypass security filters and trick victims into disclosing sensitive information. The threat actors are not relying on a single method to…
-
200,000 WordPress websites at risk of being hijacked due to vulnerable Post SMTP plugin
200,000 WordPress websites at risk of being hijacked due to vulnerable Post SMTP plugin Over 200,000 websites running a vulnerable version of a popular WordPress plugin could be at risk of being hijacked by hackers. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
WordPress GravityForms Plugin Hacked to Include Malicious Code
WordPress GravityForms Plugin Hacked to Include Malicious Code A sophisticated supply chain attack has compromised the official GravityForms WordPress plugin, allowing attackers to inject malicious code that enables remote code execution on affected websites. The attack, discovered on July 11, 2025, represents a significant security breach affecting one of WordPress’s most popular form-building plugins, with…
-
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs
Inside a Dark Adtech Empire Fed by Fake CAPTCHAs Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation…
-
82,000+ WordPress Sites Exposed to Remote Code Execution Attacks
82,000+ WordPress Sites Exposed to Remote Code Execution Attacks Critical vulnerabilities were identified in TheGem, a premium WordPress theme with more than 82,000 installations worldwide. Researchers identified two separate but interconnected vulnerabilities in TheGem theme versions 5.10.3 and earlier. When combined, these vulnerabilities create a dangerous attack vector that could lead to remote code execution…
-
Hackers exploit little-known WordPress MU-plugins feature to hide malware
Hackers exploit little-known WordPress MU-plugins feature to hide malware A new security issue is putting WordPress-powered websites at risk. Hackers are abusing the “Must-Use” plugins (MU-plugins) feature to hide malicious code and maintain long-term access on hacked websites. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Gootloader inside out
Gootloader inside out Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware – without needing a lawyer afterward Gabor Szappanos Go to sophos