Plugin
Avada Builder WordPress plugin flaws allow site credential theft
Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. One of the flaws is tracked as CVE-2026-4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at […]
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics. The flaw, tracked as CVE-2026-8181, was introduced on April 23 with the release of […]
Official CheckMarx Jenkins package compromised with infostealer
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. The compromise was claimed by the TeamPCP hacker group, which initiated a spree of supply-chain attacks that included the Shai-Hulud campaigns on npm and the Trivy vulnerability scanner breach, resulting in the delivery of credential-stealing […]
Popular WordPress redirect plugin hid dormant backdoor for years
The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert. Quick Page/Post Redirect […]
Hackers exploit file upload bug in Breeze Cache WordPress plugin
Hackers are actively exploiting a critical vulnerability in the Breeze Cache plugin for WordPress that allows uploading arbitrary files on the server without authentication. The security issue is tracked as CVE-2026-3844 and has been leveraged in more than 170 exploitation attempts by the Wordfence security solution for the WordPress ecosystem. The Breeze Cache WordPress caching […]
WordPress plugin suite hacked to push malware to thousands of sites
More than 30 WordPress plugins in the EssentialPlugin package have been compromised with malicious code that allows unauthorized access to websites running them. A malicious actor planted the backdoor code last year but only recently started pushing it to users via updates, generating spam pages and causing redirects, as per the instructions received from the […]
Smart Slider updates hijacked to push malicious WordPress, Joomla versions
Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. The developer says that only the Pro version 3.5.1.35 of the plugin is affected and recommends switching immediately to the latest version, currently 3.5.1.36, or 3.5.1.34 and earlier. Apart from installing backdoors in […]
Hackers exploit critical flaw in Ninja Forms WordPress plugin
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead to remote code execution. Identified as CVE-2026-0740, the issue is currently exploited in attacks. According to WordPress security company Defiant, its Wordfence firewall blocked more than 3,600 attacks over the past 24 hours. With over 600,000 downloads, […]
File read flaw in Smart Slider plugin impacts 500K WordPress sites
A vulnerability in the Smart Slider 3 WordPress plugin, active on more than 800,000 websites, can be exploited to allow subscriber-level users access to arbitrary files on the server. An authenticated attacker could use it to access sensitive files, such as wp-config.php, which includes database credentials, keys, and salt data, creating the risk for user data theft […]
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
An SQL injection vulnerability in Ally, a WordPress plugin from Elementor for web accessibility and usability with more than 400,000 installations, could be exploited to steal sensitive data without authentication. The security issue, tracked as CVE-2026-2413, received a high severity score. It was discovered by Drew Webber (mcdruid), an offensive security engineer at Acquia, a software-as-a-service company […]