WordPress Archives - Cyber Security Minute

Unveiling the Balada injector: a malware epidemic in WordPress

Issued by: Security Affairs

A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions. In April 2023, Bleeping Computer and other tech outlets like TechRadar began circulating reports of cybercriminals successfully hacking WordPress websites. They were able to gain access…

Network Security

Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin

Issued by: Security Affairs

WordPress security firm PatchStack warns of a high-severity vulnerability in the Elementor Pro WordPress plugin that is currently being exploited by threat actors in the wild. Elementor Pro is a paid plugin that is currently installed on over 11 million websites, it allows users to easily create WordPress websites. This vulnerability was reported on March…

Vulnerabilities

WordPress Security Update 6.0.3 Patches 16 Vulnerabilities

Issued by: Security Week

WordPress 6.0.3 fixes nine stored and reflected cross-site scripting (XSS) vulnerabilities, as well as open redirect, data exposure, cross-site request forgery (CSRF), and SQL injection flaws. WordPress security company Defiant has shared a description of each vulnerability. Four of them have a ‘high severity’ rating, and the rest have ‘medium’ or ‘low’ severity. “We have…

Malware & Threats

Malware Infects Magento-Powered Stores via FishPig Distribution Server

Issued by: Security Week

Specialized in Magento optimizations and Magento-WordPress integrations, FishPig offers various Magento extensions that have gathered over 200,000 downloads. On Tuesday, FishPig warned of an intrusion to its extension license system, which resulted in a threat actor injecting malicious PHP code into the Helper/License.php file. “This file is included in most FishPig extensions so it is…

Vulnerabilities

Vulnerability in BackupBuddy Plugin Exploited to Hack WordPress Sites

Issued by: Security Week

The BackupBuddy plugin, which has roughly 140,000 active installations, is meant to help WordPress site administrators easily manage their backup operations. The plugin allows users to store the backups to various online and local destinations. Tracked as CVE-2022-31474 (CVSS score of 7.5), the exploited vulnerability exists because of an insecure method of downloading the backups…

Vulnerabilities

WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites

Issued by: Security Week

Identified in the WordPress Link functionality, previously known as ‘Bookmarks’, the issue only impacts older installations, as the capability is disabled by default on new installations. However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS, the Wordfence team at WordPress security…

Malware & Threats

Malicious Plugins Found on 25,000 WordPress Websites: Study

Issued by: Security Week

An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today. Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces…

Vulnerabilities

Critical Vulnerability in Elementor Plugin Impacts Millions of WordPress Sites

Issued by: Security Week

Elementor is a drag-and-drop website builder for WordPress that has more than 5 million installations. Considered critical, the newly addressed vulnerability was apparently introduced on March 22, in version 3.6.0 of the plugin. Roughly one-third of websites were running a vulnerable version when the bug was found. Researchers with Plugin Vulnerabilities, who identified the flaw,…

Vulnerabilities

WordPress 5.8.1 Patches Several Vulnerabilities

Issued by: Security Week

Users have been informed that the latest update includes three security fixes, including for a data exposure flaw related to the REST API, and a cross-site scripting (XSS) issue in the block editor. WordPress 5.8.1 also updates Lodash, a JavaScript library that provides utility functions for common programming tasks, to address security issues. These vulnerabilities…

Vulnerabilities

Critical WooCommerce Vulnerability Targeted Hours After Patch

Issued by: Security Week

WooCommerce is a popular open-source eCommerce plugin for WordPress, with more than 5 million installations to date, making it an attractive target for cybercriminals. On Thursday, WooCommerce said that on July 13 it received a report of a critical vulnerability in the plugin, urging users to update their installations as soon as possible, but without…