Media File Manager plugin for WordPress exploited

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…

The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue. It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These…

The popular GDPR Cookie Consent plugin, which has been downloaded over 700.000 times, was temporarily removed from the WordPress.org plugin repository earlier this week after the developer was notified of a critical bug. Two days later (on February 10) a new version 1.8.3 was released. This new version contains…

Researchers at Imperva have found that the overall number of new vulnerabilities in Content Management Systems in 2018 (17,142) has increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). WordPress-related vulnerabilities have exploded and have seen a staggering 300% increase in 2018 compared to…

WPBrigade, the developer behind the Simple Social Buttons plugin, have just released a fix to a critical vulnerability. This vulnerability allows an attacker to completely take over a website. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more….

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible. Join Our Online…

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation. Join Our Online Security and Hosting Newsletter Today and stay…

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. Join Our Online Security and Hosting Newsletter Today and stay…

WordPress 4.2.3 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest news, updates, releases & much more. Subscribe Email I agree…

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

Researchers have discovered authorization bypass bugs in three WordPress plugins, making a total of 400,000 WordPress websites vulnerable to cyber attacks. The affected plugins are InfiniteWP, WP Time Capsule and the WP Database Reset plugin. Join Our Online Security and Hosting Newsletter Today and stay updated with the latest…

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

A serious vulnerability has been discovered in older versions of the popular Code Snippets plugin for WordPress. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution…