Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Wordpress Vulnerability. Show all posts
Wordpress Vulnerability
Cyber Security cyber threat Plugin Privilege Escalation Website Takeover Risk WordPress Security Flaw Wordpress Vulnerability

Newly Discovered WordPress Plugin Bug Enables Privilege Escalation to Admin


 

With WordPress, millions of websites depend on its convenience, but it also includes a complex web of extensions, which quietly handle everything from user onboarding to payment-based membership. In addition to simplifying site management and extending functionality, these plugins often work with deep integration into the platform's authentication and permission systems.

If any minor mistake is made within this layer, the consequences can extend far beyond a routine software malfunction. Having recently discovered a security flaw in a widely deployed membership management plugin, attention has been drawn to this fragile intersection between functionality and security, showing how external parties could bypass normal security safeguards by bypassing the user registration process and achieving the highest level of administrative privileges. 

An issue that affects affected sites is not simply one of technical misconfiguration, but also one that may allow unauthorized actors to take complete control of the website. In the past few years, WordPress has been powered by a robust ecosystem of plugins, enabling everything from membership portals to subscription-based services with minimal technical effort. 

Nevertheless, when input validation and access controls are not carefully applied, this same flexibility can pose subtle security risks. Recent disclosures of a vulnerability in a widely used membership plugin highlight this fragile balance, which opens the door to a possible takeover of tens of thousands of WordPress installations. 

It has been confirmed that malicious actors have already exploited the vulnerability, tracked as CVE-2026-1492, by manipulating account roles during the sign-up process, granting them administrator-level privileges without authentication and effectively gaining full control over affected sites through exploiting a flaw in the plugin's registration process.

It is estimated that the vulnerability affects more than 60,000 websites using WPEverest's User Registration & Membership plugin. As a result, the plugin fails to properly validate role parameters entered during registration, which leads to the issue. 

Unauthenticated attackers can tamper with this input to assign elevated privileges to newly created accounts, bypassing the intended permission restrictions, allowing them to register directly as site administrators. By obtaining such access, attackers can install malicious plugins, alter site content, extract sensitive information, such as user databases, embed hidden malware within the website infrastructure, or alter site content after obtaining such access.

Consequently, the consequences of privilege escalation are particularly severe within the WordPress permission framework, in which administrator accounts are granted unrestricted access to virtually all website functionality. Those who gain access to this level of the system can modify themes and plugins, modify PHP code, alter security settings, and even remove legitimate administrators.

In practical terms, a compromised website can become a controlled asset that can be used for further malicious activities, such as malware distribution or unauthorized data harvesting from registered users or visitors. After the vulnerability was publicly disclosed, Defiant researchers, the company behind the widely used Wordfence security plugin, reported observing attempts to exploit the vulnerability. 

Over two hundred malicious requests attempting to exploit CVE-2026-1492 were blocked within a 24-hour period by monitoring across protected environments, indicating that the flaw has been rapidly incorporated into automated attacks. As a result of the vulnerability, all versions of the plugin up to version 5.1.2. are vulnerable. 

Developers have since released a fix to address the issue, first in version 5.1.3 and then in version 5.1.4. This version also has additional stability and security improvements. Consequently, administrators are strongly advised to upgrade as soon as possible to the latest version, or temporarily disable the plugin if patch deployment cannot be completed promptly. 

It has been reported by Wordfence that CVE-2026-1492 is the most severe vulnerability to date in the plugin. Additionally, this incident reflects an ongoing trend in which attackers systematically scan the WordPress ecosystem for exploitable plugin vulnerabilities. In addition to distributing malware and hosting phishing campaigns, compromised websites are frequently used to operate command-and-control infrastructure, proxy malicious traffic, or store data stolen from others. 

Similar patterns were observed earlier in January 2026 when threat actors exploited another critical vulnerability, CVE-2026-23550, affecting the Modular DS WordPress plugin and allowing remote authentication bypass with administrator access. 

In incidents such as these, security risks remain prevalent in platforms powered by plugins such as WordPress, where a single mistake in access control can result in the compromise of thousands of websites. Since the vulnerability is so severe and exploitation attempts have already surfaced so quickly, security experts emphasize the importance of taking immediate defensive action.

Website operators are advised to review installed plugins, apply available security updates as soon as possible, and implement monitoring mechanisms that will detect any suspicious administrative activity or unauthorized account creation. By conducting regular security audits, following the principle of least privilege, and employing reputable security plugins, similar threats can be significantly reduced. 

In general, the incident illustrates the importance of maintaining continuous vigilance, timely patch management, and disciplined configuration practices to ensure that widely used plugins do not become entry points into large-scale attacks. It is crucial that the operational convenience offered by extensible platforms like WordPress is balanced with continuous vigilance and timely patch management.
Read more »
zero-day exploit
CVE-2024-11972 Flaws Hunk Companion plugin malware plugin security WordPress RCE flaws Wordpress Vulnerability zero-day exploit

Critical Security Flaw in "Hunk Companion" Plugin Exploited by Hackers

 


Hackers are actively exploiting a serious security vulnerability in the "Hunk Companion" plugin to install and activate other plugins that contain known vulnerabilities from the WordPress.org repository. This targeted attack allows the installation of plugins with a variety of vulnerabilities, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS), and even enables the creation of unauthorized admin backdoors.

Exploitation of Outdated Plugins

By focusing on outdated plugins with existing exploits, attackers can execute malicious actions, compromising WordPress sites. WPScan discovered the malicious activity and reported the issue to the developers of Hunk Companion. In response, a security update addressing the zero-day vulnerability was released yesterday.

Hunk Companion is an add-on plugin designed to enhance WordPress themes developed by ThemeHunk. Although it is installed on over 10,000 WordPress sites, it remains a relatively niche tool within the WordPress ecosystem, according to WordPress.org statistics.

Details of the Vulnerability

The critical vulnerability, identified by WPScan researcher Daniel Rodriguez, is tracked as CVE-2024-11972. This flaw allows attackers to install plugins via POST requests without authentication, creating a serious security risk for affected WordPress sites.

All versions of Hunk Companion prior to version 1.9.0, released yesterday, are affected. During an investigation of an infected site, WPScan found evidence of active exploitation of CVE-2024-11972. This exploit enabled the installation of a compromised version of the WP Query Console plugin, which has not been updated in over seven years. The hackers used this plugin to execute malicious PHP code by exploiting the RCE flaw CVE-2024-50498.

According to WPScan, “In the infections we've analyzed, attackers use the RCE to write a PHP dropper to the site’s root directory. This dropper allows continued unauthenticated uploads via GET requests, enabling persistent backdoor access to the site.”

Previous Attempts to Fix the Vulnerability

A similar flaw was addressed in version 1.8.5 of Hunk Companion, tracked as CVE-2024-9707. However, this fix was found to be insufficient, and attackers managed to bypass it.

Due to the severity of this vulnerability and the ongoing exploitation, users of Hunk Companion are strongly advised to update to version 1.9.0 immediately. At the time of reporting, version 1.9.0 had been downloaded around 1,800 times, leaving approximately 8,000 sites still vulnerable to attacks.

Read more »
Wordpress Vulnerability
brute-force protection CVE-2024-50550 Cyber Security LiteSpeed Cache plugin Patchstack plugin security role simulation Security flaw Unauthorized access update LiteSpeed Cache Wordpress Vulnerability

Critical Security Vulnerability Found in LiteSpeed Cache Plugin: Urgent Update Advised for WordPress Users

 

A significant security flaw has been uncovered in the LiteSpeed Cache plugin, used by over 6 million WordPress sites, which could allow unauthorized visitors to gain administrator-level access. The vulnerability stems from a weakness in the plugin's role simulation feature, making it possible for attackers to bypass security and install harmful plugins.

The LiteSpeed Cache plugin, popular for site performance enhancements, is compatible with widely-used WordPress plugins like WooCommerce, bbPress, and Yoast SEO.

According to cybersecurity firm Patchstack, this vulnerability results from weak hash checks, which can be exploited under certain administrator-defined configurations. The issue is particularly pronounced when high run durations and minimal load limits are applied within the plugin's Crawler feature.

Listed as CVE-2024-50550, the vulnerability is concerning due to its susceptibility to brute-force attacks, enabling attackers to bypass essential security mechanisms.

Specific configurations that make this vulnerability more likely include:
  • Enabling the Crawler feature with run durations between 2500-4000 seconds
  • Setting the server load limit to 0
  • Activating role simulation for administrator-level users
  • Recommended Actions to Mitigate the Risk
  • In response, LiteSpeed has removed the role simulation feature and enhanced hash generation processes. The company has also shared plans with Patchstack to introduce more sophisticated random value generation in future updates to further safeguard against brute-force exploits.
Patchstack recommends that all LiteSpeed Cache users update to version 6.5.2 or later to mitigate these risks.

"This vulnerability underscores the importance of strong, unpredictable values for security hashes or nonces," Patchstack noted, adding that features like role simulation should always include robust access controls.

Additionally, administrators are advised to review plugin settings, optimizing configurations like Crawler run duration and load limits to strengthen security.
Read more »
Wordpress Vulnerability
Command and Control(C2) Linux Malicious actor Plugin Flaws Spyware URL Vulnerabilities and Exploits Wordpress Vulnerability

WordPress Sites Hit by New Linux Malware

According to an analysis by cybersecurity company Dr. Web, WordPress-based websites are being targeted by an unidentified Linux malware variant.

Recognized as LinuxBackDoor.WordPressExploit.1, while it can also operate on 64-bit Linux versions, the Trojan favors 32-bit versions. 30 vulnerabilities in numerous outdated WordPress plugins and themes have been used by Linux malware.  

Injecting harmful JavaScript into the webpages of websites using the WordPress content management system (CMS) is its primary purpose. The malware may be the malicious instrument that hackers have used for more than three years to perform specific attacks and generate income from the resale of traffic, or arbitrage, based on a study of an unearthed trojan program undertaken by Doctor Web's specialists. 

Malicious actors can remotely operate a Trojan by sending its command and control (C&C) server the URL of the site they want to infect. Threat actors can also remotely disable the spyware, turn it off, and stop recording its activities. 

The researchers described how the process works, adding that if a plugin or theme vulnerability is exposed, the injection is done so that, irrespective of the original contents of the page, the JavaScript would be launched first when the infected page is loaded. By clicking any part of the compromised website, users will be sent to the attackers' preferred website.

Additionally, it can take advantage of many plugins' flaws, including the Brizy WordPress Plugin, the FV Flowplayer Video Player, and the WordPress Coming Soon Page.

According to Dr. Web, both Trojan variants include unreleased functionality for brute-force hacking the admin access of selected websites. Applying well-known logins and passwords while utilizing specialized vocabulary can accomplish this.

The researchers issued a warning, speculating that hackers may be considering using this feature in further iterations of the malware. Cybercriminals will even be able to effectively attack some of the websites that utilize current plugin versions with patched vulnerabilities.

WordPress is reportedly used by 43% of websites, making it a CMS that cybercriminals aggressively target.WordPress website owners are recommended by Dr. Web to update all parts of their platforms, including any third-party add-ons and themes, and to use secure passwords for their accounts.

Read more »
Wordpress Vulnerability
Flaws Plugins Security Flaws Vulnerabilities and Exploits Web security Website Takeover Website vulnerability WordPress Plugin Wordpress Vulnerability

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.
Read more »
Wordpress Vulnerability
malware Plugins Wordpress Security Wordpress Vulnerability

WordPress Websites Infected with Malware Via Fake jQuery Files


Cybersecurity experts discovered fake variants of the jQuery Migrate plugin inserted in various sites that had unclear codes to launch malware. The files are tagged as jquery-migrate.min.js and jquery-migrate.js, currently located where Java files are generally found on WordPress websites but in reality are fake. Presently, around 7 Million websites use the jQuery Migrate plugin, the popularity of the plugin may have led hackers to use it as a decoy to plant their malware under the plugin name. 

Cybersecurity experts Adrian Stoian and Denis Sinegubko earlier this week discovered fake jQuery files pretending to be jQuery migrate plugins on several websites. To avoid getting caught, the infected files interchange with legitimate files having ./wp-includes/js/jquery/ directory where all the WordPress files are present. 

These counterfeit files have further muddled the codes using an anonymous analytics.js file containing malicious codes. As of now, the threat level of this attack is yet to be determined, but a search query shared by Sinegubko revealed that the malicious code infected around forty web pages.  

The filename 'analytics' however, has nothing to do with the metrics of websites. Bleeping computer enquired some infected file codes. "The code has references to "/wp-admin/user-new.php" which is the WordPress administration page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable which WordPress uses to enforce Cross-Site Request Forgery (CSRF) protections," reports Bleeping Computer. 

In general, if the hackers get the CSRF tokens, it allows them to imitate fake requests from the user end. Attaching these malicious scripts on WordPress websites allows hackers to deploy various cyberattacks using that may vary from credit card skimming for Megacart scams or redirecting users to scammed websites. Here, the victims may be led to fake survey forums, tech assistance frauds, requests for subscribing to spam notifications, or installing malicious browser extensions.  

Helpnet Security reports, "everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that. Clicking on that link means that an attacker can fake any user-supplied input on a site and make it indistinguishable from a user doing it themselves."
Read more »
Wordpress Vulnerability
Plugins Technology News Wordpress Vulnerability

The “Real-Time Find and Replace” Wordpress Plugin Updated To Address A High Severity Vulnerability



So as to address a high severity vulnerability, the “Real-Time Find and Replace” WordPress plugin was updated as of late in order to forestall the exploitation to infuse code into sites.

The plugin, accessible as open source and has over 100,000 installations is intended to permit WordPress site admins to dynamically supplant HTML content from themes and different plugins with the content on their personal preference before the page is served to users.

The vulnerability recognized by the name of 'Cross-Site Request Forgery (CSRF)' prompting Cross-Site Scripting (XSS), could have permitted an attacker to infuse malignant JavaScript code on a target site, yet just by fooling the administrator into performing explicit actions, such as clicking a link.

The core of the plugin's 'functionality' for including the find and replace rules in the function far_options_page, which didn't confirm the integrity of a request's source, since it didn't utilize nonce verification, WordPress Security Company Defiant had discovered.

 By supplanting an HTML tag like <head> with noxious JavaScript, an attacker would ensure that their code executes on about each page of the targeted site. Utilizing the infused code, the attacker could make another administrative account; steal session cookies, or direct clients to a malevolent site.

Defiant detailed the vulnerability to the plugin's developer on April 22 and the security flaw was tended to the same day.

The security company Defiant says, “Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content. ”

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explained further.

Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.
Read more »
Wordpress Vulnerability
Cyber Crime Hacking News User Security Wordpress Vulnerability

Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites



Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.

Read more »
Wordpress Vulnerability
hacker news IT Security News Vulnerability Wordpress Vulnerability

Latest WordPress version 3.5.1 vulnerable to Denial of Service

A security researcher Krzysztof Katowicz-Kowalewski has discovered a critical DOS vulnerability in the latest version of Wordpress (v3.5.1) that allows cybercriminals to cause Denial of service.

The security flaw is "caused due to an error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php" according to Secunia report.

By sending specially crafted password cookie, an attacker can cause damage to the website. However, the exploit is limited to those websites who have at least one password protected post and the attacker should have the knowledge of the URL for that post.

Secunia has confirmed the vulnerability existence in latest version 3.5.1. Previous version might also be impacted by the security bug.

The researcher has informed the Wordpress security Team about the security flaw, but since he didn't receive any response from them , he decided to disclose the bug.
Read more »
Wordpress Vulnerability
Breaking News IT Security News Vulnerability Web Application Vulnerability Wordpress Vulnerability

W3 Total Cache vulnerability allows hacker to steal password and db info


Jason A. Donenfeld has discovered a Critical vulnerability in one of the famous wordpress plugin "W3 Total Cache".  The plugin helps to improve the user experience of your site by improving your server performance, caching every aspect of your site.

The cache data is stored in public accessible directory, which means a malicious hacker can browse and download the password hashes and other database information.

A simple Google search for "inurl:wp-content/plugins/w3tc/dbcache" returns the list of word press affected by this vulnerability.

According to Jason, the cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable, even with directory listing off.

He also published a simple shell script to identify and exploit this bug:
http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh

Wordpress users are advised to either upgrade the plugin to new version or deny access to plugin directory by making an extra .htccess in that folder.
Read more »
Wordpress Vulnerability
IT Security News Vulnerability Web Application Vulnerability Wordpress Vulnerability

WordPress Pingback Vulnerability Can Be Leveraged in DDoS Attacks


A pingback security bug exists in the Wordpress blogging platform may be exploited to launch distributed denial-of-service (DDoS) attacks, according to web application security firm Acunetix.

The vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP).

A malicious hacker can spoof a pingback to a specific blog in order to guess hosts inside each network they target, port scan those hosts, reconfigure internal routers or simply launch DDoS attacks.

The team successfully implemented an Acunetix WVS script to test this security flaw. This script will try to resolve various common internal hosts and try to connect to common ports. In the end, it will report the successful attempts.
Read more »
Subscribe to: Comments (Atom)