-
Critical flaw in WordPress add-on for Elementor exploited in attacks
Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.
- December 03, 2025
- 04:31 PM
0
-
W3 Total Cache WordPress plugin vulnerable to PHP command injection
A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.
- November 19, 2025
- 12:34 PM
1
-
New Webinar: Choose Your Own Investigation — Browser Attack Edition
Modern attacks have shifted focus to the browser, yet detection tools remain largely blind to the crucial activity happening there.
Join Push Security on February 11th for an interactive "choose-your-own-adventure" webinar on ClickFix, credential phishing, and other in-browser attacks we've observed in the wild.
-
Hackers exploit WordPress plugin Post SMTP to hijack admin accounts
Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts.
- November 04, 2025
- 04:46 PM
- 1
-
WordPress security plugin exposes private data to site subscribers
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.
- October 29, 2025
- 04:44 PM
- 1
-
Hackers launch mass attacks exploiting outdated WordPress plugins
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
- October 24, 2025
- 03:28 PM
- 0
-
Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.
- July 26, 2025
- 10:17 AM
- 0
-
WordPress Gravity Forms developer hacked to push backdoored plugins
The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor.
- July 11, 2025
- 03:30 PM
- 0
-
Forminator plugin flaw exposes WordPress sites to takeover attacks
The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.
- July 02, 2025
- 11:38 AM
- 0
-
Linux Foundation unveils decentralized WordPress plugin manager
A collective of former WordPress developers and contributors backed by the Linux Foundation has launched the FAIR Package Manager, a new and independent distribution system for trusted WordPress plugins and themes.
- June 09, 2025
- 02:07 PM
- 1
-
WordPress plugin disguised as a security tool injects backdoor
A new malware campaign targeting WordPress sites employs a malicious plugin disguised as a security tool to trick users into installing and trusting it.
- April 30, 2025
- 05:05 PM
- 0
-
WooCommerce admins targeted by fake security patches that hijack sites
A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a "critical patch" that adds a Wordpress backdoor to the site.
- April 26, 2025
- 10:09 AM
- 0
-
WordPress security plugin WP Ghost vulnerable to remote code execution bug
Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers.
- March 20, 2025
- 10:58 AM
- 0
-
Critical zero-days impact premium WordPress real estate plugins
The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges.
- January 22, 2025
- 05:59 PM
- 1
-
WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites
A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data.
- January 14, 2025
- 03:54 PM
- 3
-
Premium WPLMS WordPress plugins address seven critical flaws
Two WordPress plugins required by the premium WordPress WPLMS theme, which has over 28,000 sales, are vulnerable to more than a dozen critical-severity vulnerabilities.
- December 23, 2024
- 11:59 AM
- 0
-
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository.
- December 11, 2024
- 06:28 PM
- 1
-
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.
- December 10, 2024
- 03:00 PM
- 1
-
Security plugin flaw in millions of WordPress sites gives admin access
A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL'), including both free and Pro versions.
- November 17, 2024
- 10:19 AM
- 0
-
LiteSpeed Cache WordPress plugin bug lets hackers get admin access
The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights.
- October 31, 2024
- 12:19 PM
- 1
-
Over 6,000 WordPress sites hacked to install plugins pushing infostealers
WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware.
- October 21, 2024
- 01:53 PM
- 0
