wordpress
WordPress plugin suite hacked to push malware to thousands of sites
More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them. A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the […]
Smart Slider updates hijacked to push malicious WordPress, Joomla versions
Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. The developer says that only the Pro version 3.5.1.35 of the plugin is affected and recommends switching immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier. Apart from installing backdoors in […]
Hackers exploit critical flaw in Ninja Forms WordPress plugin
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. Identified as CVE-2026-0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours. With over 600,000 downloads, […]
File read flaw in Smart Slider plugin impacts 500K WordPress sites
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. An authenticated attacker could use it to access sensitive files, such as wp-config.php, which includes database credentials, keys, and salt data, creating the risk for user data theft […]
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication. The security issue, tracked as CVE-2026-2413, received a high severity score. It was discovered by Drew Webber (mcdruid), an offensive security engineer at Acquia, a software-as-a-service company […]
WordPress membership plugin bug exploited to create admin accounts
Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites. Developed by WPEverest, the plugin provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics. The security vulnerability is tracked as CVE-2026-1492 and […]
WordPress plugin with 900k installs vulnerable to critical RCE flaw
A critical vulnerability in the WPvivid Backup & Migration plugin for WordPress, installed on more than 900,000 websites, can be exploited to achieve remote code execution by uploading arbitrary files without authentication. The security issue is tracked as CVE-2026-1357 and received a severity score of 9.8. It impacts all versions of the plugin up to 0.9.123 and could lead […]
ACF plugin bug gives hackers admin on 50,000 WordPress sites
A critical-severity vulnerability in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress can be exploited remotely by unauthenticated attackers to obtain administrative permissions. ACF Extended, currently active on 100,000 websites, is a specialized plugin that extends the capabilities of the Advanced Custom Fields (ACF) plugin with features for developers and advanced site builders. […]
Hackers exploit Modular DS WordPress plugin flaw for admin access
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges. The flaw, tracked as CVE-2026-23550, affects versions 2.5.1 and older of Modular DS, a management plugin that allows managing multiple WordPress sites from a single interface. The plugin lets […]
Critical flaw in WordPress add-on for Elementor exploited in attacks
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process. The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides […]