18 Jun 2019

Disgruntled security firm discloses zero-days in Facebook’s WordPress plugins

A security firm holding a grudge against WordPress recently released proof-of-concept (PoC) code for two zero-days affecting two official Facebook plugins for WordPress. The impacted plugins are “Messenger Customer Chat” (20,000 installations) and “Facebook for WooCommerce” (200,000 installations). The flaws are tricky to exploit, but can enable threat actors to

Read More
11 Apr 2019

Mailgun hacked part of massive attack on WordPress sites

Threat actors on Wednesday launched a massive hacking campaign targeting WordPress websites that use the Yuzo Related Posts plugin, a recently discontinued plugin that is vulnerable to a cross-site scripting (XSS) attack. The flaw allows attackers to inject malicious code into legitimate websites that will cause users to get redirected

Read More
05 Mar 2019

WordPress accounted for 90 percent of all hacked CMS sites in 2018

A new study by Sucuri highlights the security shortcomings of e-commerce and other websites. According to the report, the vast majority of e-commerce websites using PrestaShop, OpenCart, Joomla or Magento that were hacked in 2018, were vulnerable to attacks because they ran outdated versions of these popular content management systems

Read More
21 Jan 2019

Ex-Employee Hacks WPML WordPress Plugin Site and Spams Users

The website of the WordPress Multilingual Plugin (WPML) has been hacked by an ex-employee over the weekend. As part of the attack, the threat actor sent an email to the 600,000 WPML customers claiming that the plugin for multilingual website support is riddled with “ridiculous security holes”, which caused two of

Read More
07 Dec 2018

Infected WordPress Sites Are Attacking Other WordPress Sites

“WordPress sites are being targeted in a series of attacks tied to a 20,000 botnet-strong army of infected WordPress websites. Behind the WordPress-on-WordPress assault is a widespread brute-force password attack leveraged through a Russian proxy provider and targeting a developer application program interface (API). The attacks, first identified by the

Read More