#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

WordPress | Breaking Cybersecurity News | The Hacker News

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites
May 08, 2024 Web Security / Vulnerability
A high-severity flaw impacting the LiteSpeed Cache plugin for WordPress is being actively exploited by threat actors to create rogue admin accounts on susceptible websites. The  findings  come from WPScan, which said that the vulnerability ( CVE-2023-40000 , CVSS score: 8.3) has been leveraged to set up bogus admin users with the names wpsupp‑user and wp‑configuser. CVE-2023-40000, which was  disclosed  by Patchstack in February 2024, is a stored cross-site scripting (XSS) vulnerability that could permit an unauthenticated user to elevate privileges by means of specially crafted HTTP requests. The flaw was addressed in October 2023 in version 5.7.0.1. It's worth noting that the latest version of the plugin is 6.2.0.1, which was  released  on April 25, 2024. LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites. According to the Automattic-owned company, the ma

Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers

Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers
May 01, 2024 Malware / Android
Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed  Wpeeper , is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. "Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands," researchers from the QiAnXin XLab team  said . The ELF binary is embedded within a repackaged application that purports to be the  UPtodown App Store  app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection. The Chinese cybersecurity firm said it discovered the malware after it detected a  Wpeeper artifact  with zero detection on t

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

Hackers Exploiting WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites
Apr 26, 2024 Threat Intelligence / Cyber Attack
Threat actors are attempting to actively exploit a critical security flaw in the ValvePress Automatic plugin for WordPress that could allow site takeovers. The shortcoming, tracked as  CVE-2024-27956 , carries a CVSS score of 9.9 out of a maximum of 10. It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it. "This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites," WPScan  said  in an alert this week. According to the Automattic-owned company, the issue is rooted in the plugin's user authentication mechanism, which can be trivially circumvented to execute arbitrary SQL queries against the database by means of specially crafted requests. In the attack

Protecting Your Organization From Insider Threats - All You Need to Know

cyber security
websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.

What's the Right EDR for You?

What's the Right EDR for You?
May 10, 2024Endpoint Security / Threat Detection
A guide to finding the right endpoint detection and response (EDR) solution for your business' unique needs. Cybersecurity has become an ongoing battle between hackers and small- and mid-sized businesses. Though perimeter security measures like antivirus and firewalls have traditionally served as the frontlines of defense, the battleground has shifted to endpoints. This is why endpoint detection and response (EDR) solutions now serve as critical weapons in the fight, empowering you and your organization to detect known and unknown threats, respond to them quickly, and extend the cybersecurity fight across all phases of an attack.  With the growing need to defend your devices from today's cyber threats, however, choosing the right EDR solution can be a daunting task. There are so many options and features to choose from, and not all EDR solutions are made with everyday businesses and IT teams in mind. So how do you pick the best solution for your needs? Why EDR Is a Must Because of

Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker

Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker
Apr 12, 2024 Web Security / WordPress
Cybersecurity researchers have discovered a credit card skimmer that's concealed within a fake  Meta Pixel tracker script  in an attempt to evade detection. Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like  Simple Custom CSS and JS  or the " Miscellaneous Scripts " section of the Magento admin panel. "Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery," security researcher Matt Morrow  said . The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain "connect.facebook[.]net" with "

Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
Apr 03, 2024 Web Security / Vulnerability
A critical security flaw impacting the LayerSlider plugin for WordPress could be abused to extract sensitive information from databases, such as password hashes. The flaw, designated as  CVE-2024-2879 , carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as a case of SQL injection impacting versions from 7.9.11 through 7.10.0. The issue has been addressed in version 7.10.1 released on March 27, 2024, following responsible disclosure on March 25. "This update includes important security fixes," the maintainers of LayerSlider  said  in their release notes. LayerSlider is a visual web content editor, a graphic design software, and a digital visual effects that allows users to create animations and rich content for their websites. According to its own site, the plugin is  used  by "millions of users worldwide." The flaw discovered in the tool stems from a case of insufficient escaping of user supplied parameters and the absence of  wpdb::pr

Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects

Massive Sign1 Campaign Infects 39,000+ WordPress Sites with Scam Redirects
Mar 22, 2024 Web Security / Vulnerability
A massive malware campaign dubbed  Sign1  has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites. The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week. The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code. The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a  VexTrio -operated traffic distribution system (TDS) but only if certain criteria are met. What's more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registere

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw
Mar 18, 2024 Website Security / Vulnerability
WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw. The flaw, tracked as  CVE-2024-2172 , is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan . It impacts the following versions of the two plugins - Malware Scanner  (versions <= 4.7.2) Web Application Firewall  (versions <= 2.1.1) It's worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations. "This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence  reported  last week.  The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unau

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites

Malware Campaign Exploits Popup Builder WordPress Plugin to Infect 3,900+ Sites
Mar 12, 2024 WordPress / Website Security
A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has  infected more than 3,900 sites  over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava  said  in a report dated March 7. Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a  Balada Injector campaign  earlier this January, compromising no less than 7,000 sites. The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages. WordPress site owners are reco

Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks

Hacked WordPress Sites Abusing Visitors' Browsers for Distributed Brute-Force Attacks
Mar 07, 2024 Vulnerability / Web Security
Threat actors are conducting brute-force attacks against WordPress sites by leveraging malicious JavaScript injections, new findings from Sucuri reveal. The attacks, which take the form of distributed brute-force attacks, "target WordPress websites from the browsers of completely innocent and unsuspecting site visitors," security researcher Denis Sinegubko  said . The activity is part of a  previously documented attack wave  in which compromised WordPress sites were used to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites containing drainer malware. The latest iteration is notable for the fact that the injections – found on  over 700 sites  to date – don't load a drainer but rather use a list of common and leaked passwords to brute-force other WordPress sites. The attack unfolds over five stages, enabling a threat actor to take advantage of already compromised websites to launch distributed brute-force attacks against other po

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk
Feb 27, 2024 Vulnerability / Website Security
A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as  CVE-2023-40000 , the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack researcher Rafie Muhammad  said . LiteSpeed Cache , which is used to improve site performance, has more than five million installations. The latest version of the plugin is 6.1, which was released on February 5, 2024. The WordPress security company said CVE-2023-40000 is the result of a lack of user input sanitization and  escaping output . The vulnerability is rooted in a function named update_cdn_status() and can be reproduced in a default

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites
Feb 27, 2024 Website Security / Cryptojacking
A critical security flaw has been disclosed in a popular WordPress plugin called  Ultimate Member  that has more than 200,000 active installations. The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw. In an advisory published last week, WordPress security company Wordfence  said  the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query." As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database. It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.

WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites
Feb 20, 2024 Website Security / PHP Code
A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations. The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6. It has been addressed by the theme developers in  version 1.9.6.1  released on February 13, 2024, merely days after WordPress security provider Snicco reported the flaw on February 10. While a proof-of-concept (PoC) exploit has not been released, technical details have been  released  by both Snicco and Patchstack, noting that the underlying vulnerable code exists in the prepare_query_vars_from_settings() function. Specifically, it concerns the use of security tokens called "nonces" for verifying permissions, which can then be used to pass arbitrary commands for execution, effectively allowing a threat actor to seize control of a

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor
Feb 15, 2024 Malware / Cyber Espionage
The Russia-linked threat actor known as Turla has been observed using a new backdoor called  TinyTurla-NG  as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023. "TinyTurla-NG, just like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems," Cisco Talos  said  in a technical report published today. TinyTurla-NG is so named for exhibiting similarities with TinyTurla, another implant used by the adversarial collective in intrusions aimed at the U.S., Germany, and Afghanistan since at least 2020. TinyTurla was  first documented  by the cybersecurity company in September 2021. Turla, also known by the names Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, Uroburos, and Venomous Bear, is a Russian state-affiliated threat actor linked to the Federal Security Service (FSB

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates
Jan 23, 2024 Malware / Cyber Threat
The threat actors behind ClearFake, SocGholish, and dozens of other e-crime outfits have established partnerships with another entity known as  VexTrio  as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said , describing VexTrio as the "single largest malicious traffic broker described in security literature." VexTrio, which is believed to be have been active since at least 2017, has been attributed to  malicious campaigns  that use domains generated by a dictionary domain generation algorithm ( DDGA ) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content. This includes a 2022 activity cluster that  distributed the Glupteba malware  following an earlier attempt by Google to take down a significant chunk of its infrastru

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability
Jan 15, 2024 Website Security / Vulnerability
Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called  Balada Injector . First  documented  by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws in WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. Subsequent  findings  unearthed by Sucuri have revealed the  massive scale of the operation , which is said to have been active since 2017 and infiltrated no less than 1 million sites since then. The GoDaddy-owned website security company, which  detected  the latest Balada Injector activity on December 13, 2023, said it identified the injections on  over 7,100 sites . These attacks take advantage of a high-severity flaw in Popup Builder ( CVE-2023-6000 , CVSS score: 8.8) – a plugin with  more than 200,000 active installs  – that

WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability
Dec 08, 2023 Vulnerability / Website Security
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. "A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress  said . According to WordPress security company Wordfence, the  issue  is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. "If a  POP [property-oriented programming] chain  is present via an additional plugin or theme installed on the target system, it could all

NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors

NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors
Nov 20, 2023 Malware / Network Security
Threat actors are targeting the education, government and business services sectors with a remote access trojan called  NetSupport RAT . "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as  GHOSTPULSE ), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report shared with The Hacker News. The cybersecurity firm said it detected no less than 15 new infections related to NetSupport RAT in the last few weeks.  While NetSupport Manager started off as a  legitimate remote administration tool  for technical assistance and support, malicious actors have misappropriated the tool to their own advantage, using it as a beachhead for subsequent attacks. NetSupport RAT is typically downloaded onto a victim's computer via deceptive websites and fake browser updates. In August 2022, Sucuri  detailed  a campaign in which compromised WordPress sites were being us

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware
Nov 17, 2023 Malvertising / Malware
Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead. Cybersecurity company Securonix is tracking the ongoing activity under the name  SEO#LURKER . "The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov  said  in a report shared with The Hacker News. The threat actors are believed to leverage Google's Dynamic Search Ads ( DSAs ), which automatically generates ads based on a site's content to serve the malicious ads that take the victims to the infected site. The ultimate goal of the complex multi-stage attack chain is to entice users into clicking on the fake, lookalike WinSCP website, winccp[.]net, and download the malware. "Traffic from the gaweeweb[.]com website to the fake

Binance's Smart Chain Exploited in New 'EtherHiding' Malware Campaign

Binance's Smart Chain Exploited in New 'EtherHiding' Malware Campaign
Oct 16, 2023 Blockchain / Malware
Threat actors have been observed serving malicious code by utilizing Binance's Smart Chain (BSC) contracts in what has been described as the "next level of bulletproof hosting." The campaign, detected two months ago, has been codenamed  EtherHiding  by Guardio Labs. The novel twist marks the latest iteration in an ongoing malware campaign that leverages compromised WordPress sites to serve unsuspecting visitors a fake warning to update their browsers before the sites can be accessed, ultimately leading to the deployment of information stealer malware such as Amadey, Lumma, or RedLine. "While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they've quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain," security researchers Nati Tal and Oleg Zaytsev  said . "This campaign is up and harder than ever to detect and take down." It's no surprise that threat act
Expert Insights
Cybersecurity Resources