Plugin
WordPress Gravity Forms developer hacked to push backdoored plugins
The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. Gravity Forms is a premium plugin for creating contact, payment, and other online forms. Based on statistic data from the vendor, the product is isntalled on around one […]
Forminator plugin flaw exposes WordPress sites to takeover attacks
The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. The security issue is tracked as CVE-2025-6463 and has a high-severity impact (CVSS 8.8 score). It impacts all versions of Forminator up to 1.44.2. Forminator Forms is a plugin developed by WPMU DEV. It offers a […]
Linux Foundation unveils decentralized WordPress plugin manager
A collective of former WordPress developers and contributors backed by the Linux Foundation has launched the FAIR Package Manager, a new and independent distribution system for trusted WordPress plugins and themes. This is a response to recent controversy after a legal conflict between commercial WordPress hosting providers Automattic and WP Engine, after the former banned the […]
WordPress plugin disguised as a security tool injects backdoor
A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it. According to Wordfence researchers, the malware provides attackers with persistent access, remote code execution, and JavaScript injection. At the same time, it remains hidden from the plugin dashboard to evade detection. […]
WooCommerce admins targeted by fake security patches that hijack sites
A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a “critical patch” that adds a WordPress backdoor to the site. Recipients that take the bait and download the update are actually installing a malicious plugin that creates a hidden admin account on their website, downloads web shell payloads, and maintains […]
Popular WordPress security plugin WP Ghost vulnerable to RCE bug
Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. WP Ghost is a popular security add-on used in over 200,000 WordPress sites that claims to stop 140,000 hacker attacks and over 9 million brute-forcing attempts every month. It also […]
Critical zero-days impact premium WordPress real estate plugins
The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. Although the two flaws were discovered in September 2024 by Patchstack, and multiple attempts were made to contact the vendor (InspiryThemes), the researchers say they have not received a response. […]
WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites
A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. Researchers at webscript security company c/side discovered during an incident response engagement for one of their clients that the malicious activity uses the wp3[.]xyz domain to exfiltrate data but have yet to determine the initial […]
Premium WPLMS WordPress plugins address seven critical flaws
Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical severity vulnerabilities. The bugs could enable a remote, unauthenticated attacker to upload arbitrary files to the server, execute code, escalate privileges to administrator level, and perform SQL injections. The WPLMS theme is a learning management […]
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the “Hunk Companion” plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) […]