11 articles tagged with "Wordpress"
Attackers compromised Nextend's update infrastructure to push a malicious Smart Slider 3 Pro version with four layers of backdoors. Here's who's affected and how to recover.
AI-discovered vulnerabilities bypass all security policies including 'secure' mode. Most servers won't receive fixes until 2027 without manual intervention.
CVE-2026-3098 lets subscribers read wp-config.php and any server file. Amelia Booking Pro also patched for admin password reset bug. Update these WordPress plugins now.
Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.
Global campaign hijacks WordPress sites in 12 countries to serve fake Cloudflare CAPTCHAs that deploy Vidar, VodkaStealer, and other credential theft malware.
CVE-2026-1492 in User Registration & Membership plugin enables unauthenticated admin account creation. CVSS 9.8—over 100,000 sites at risk.
WordPress plugin wpForo 2.4.14 contains unauthenticated SQL injection, PHP object injection, and multiple authorization bypass flaws. Over 80,000 sites at risk.
Critical CVE-2026-1490 (CVSS 9.8) in CleanTalk anti-spam plugin allows unauthenticated attackers to install malicious plugins via DNS spoofing. Update to 6.72 now.
Attackers exploiting CVE-2025-5947 in Service Finder Bookings plugin to hijack admin accounts through cookie manipulation. Over 6,000 sites potentially exposed.
CVE-2026-23550 in Modular DS plugin scores CVSS 10.0. Active exploitation began January 13, with 40,000+ sites at risk.
CVE-2025-14533 in the ACF Extended plugin allows unauthenticated attackers to register as administrators on 100,000 WordPress sites.