-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Website Security | Breaking Cybersecurity News | The Hacker News

Category — Website Security
Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites

Jul 10, 2026 Cybercrime / Website Security
A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as WP-SHELLSTORM , is what  SOCRadar  calls a webshell access brokerage: a crew that breaks into sites at scale, plants a hidden backdoor (a "webshell") on each, and packages that access for resale. The strongest activity hit WordPress sites running out-of-date plugins. If you run WordPress or Joomla, the two flaws that mattered most were in the Breeze caching plugin and Joomla's JCE editor; skip to the checklist below if that's you. A forgotten server Two teams dug into the same exposed folder. SOCRadar's threat intelligence team spotted it on June 11, 2026, on a U...
Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Jun 15, 2026 Web Security / Supply Chain Attack
An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage , OptinMonster , and TrustPulse , turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker's control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it. Any site that was hit should be treated as compromised. All three plugins are run by one company, Awesome Motive, which had not commented on the two larger plugins as of June 15. Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins. PushEngage followed a day later with its own incident notice , confirming an attacker had served tampered copies of its script and that sites loading them could be taken over. PushEngage, acquired by Awesome Motive years ago, is so far the only one of the three to ...
Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Jun 01, 2026 Vulnerability / Website Security,
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro , a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is used as a store locator tool, making it easier for users to find nearby locations, view listing details, and get directions. The vulnerability in question is CVE-2026-8732 (CVSS score: 9.8), a privilege escalation bug that allows unauthenticated attackers to create a WordPress user with administrative permissions, effectively allowing them to take control of a site. The shortcoming impacts all versions of the plugin prior to and including 6.1.0. It has been addressed in version 6.1.1. Security researcher David Brown has been credited with discovering and reporting the flaw. At a high ...
cyber security

Take the AI Sprawl CISO Survey. Get fast track to BlackHat swag

websiteRecoAI Security / SaaS Security
Answer questions on AI sprawl. First access to the peer benchmark report.
cyber security

Zscaler ThreatLabz 2026 VPN Risk Report with Cybersecurity Insiders

websiteZscalerAI Security / Network Security
VPN Risk Report reveals attackers using AI to move at machine speed, leaving legacy VPNs exposed.
Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

May 19, 2026 Vulnerability / Website Security
Drupal has issued an alert stating that it intends to release a "core security release" for all supported branches on May 20, 2026, from 5-9 p.m. UTC. "The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days," the maintainers of the PHP-based content management system (CMS) said . "Not all configurations are affected. Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory." It's being advised to update to the latest supported patch for the site's version of Drupal before the deadline so that any outstanding upgrade issues can be addressed. Patches are expected to be available for the following supported branches of Drupal core - 11.3.x 11.2.x 10.6.x 10.5.x "Sites on one of these supported versions should updat...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources