The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: Wordpress hacking

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

April 26, 2019Swati Khandelwal
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company—called " Plugin Vulnerabilities "—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details  and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin. To be clear, the reported unpatched vulnerability doesn't reside in the WordPress core or WooCommerce plugin itself. Instead, the vulnerability exists in a plugin , called WooCommerce Checkout Manager , that extends the functionality of WooCommerce by allowing eCommerce sites to customize forms on their checkout pages and is currently being used by more than 60,000 websites. The vulnerability in question is an "arbitrary file upload" issue that can be exploi
Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

April 23, 2019Swati Khandelwal
Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog. Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978 . Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code. However, the same day when Soc
New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

March 14, 2019Swati Khandelwal
If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website. Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks. The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1. Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites. "
Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

February 19, 2019Swati Khandelwal
Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately. Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years. The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an "author" account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core. The requirement of at least an author account reduces the severity of this vulnerability to some extent, which could be exploited by a rogue content contributor or an attacker w
WordPress Update Breaks Automatic Update Feature—Apply Manual Update

WordPress Update Breaks Automatic Update Feature—Apply Manual Update

February 09, 2018Mohit Kumar
WordPress administrators are once again in trouble. WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites. WordPress team has now issued a new maintenance update, WordPress 4.9.4 , to patch this severe bug, which WordPress admins have to install manually. According to security site WordFence , when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process. If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues. Here's what WordPress lead developer Dion Hulse explained about the bug: "#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human e
Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites

February 05, 2018Mohit Kumar
A simple yet serious application-level denial of service (DoS) vulnerability has been discovered in WordPress CMS platform that could allow anyone to take down most WordPress websites even with a single machine—without hitting with a massive amount of bandwidth, as required in network-level DDoS attacks to achieve the same. Since the company has denied patching the issue, the vulnerability ( CVE-2018-6389 ) remains unpatched and affects almost all versions of WordPress released in last nine years, including the latest stable release of WordPress (Version 4.9.2). Discovered by Israeli security researcher Barak Tawily , the vulnerability resides in the way " load-scripts.php ," a built-in script in WordPress CMS, processes user-defined requests. For those unaware, load-scripts.php file has only been designed for admin users to help a website improve performance and load page faster by combining (on the server end) multiple JavaScript files into a single request. Howe
Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

December 20, 2017Swati Khandelwal
Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors. One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor. In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store. While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication. The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installati
Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

Unpatched Wordpress Flaw Could Allow Hackers To Reset Admin Password

May 04, 2017Mohit Kumar
WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances. The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version. The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable. "This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website," Golunski wrote in an advisory published today. "As there has been no progress, in this case, this advisory is finally released to the public without an official patch." Golunski
Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability

Thousands of WordPress Sites Hacked Using Recently Disclosed Vulnerability

February 08, 2017Swati Khandelwal
Last week, we reported about a critical zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites. To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked closely with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public. But even after the company's effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and has already been exploited by hackers. While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches. Even the news blog of one of the famous Linux distribution OpenSUSE (news.opensuse.org) was
WordPress Security: Brute Force Amplification Attack Targeting Thousand of Blogs

WordPress Security: Brute Force Amplification Attack Targeting Thousand of Blogs

October 09, 2015Swati Khandelwal
Most of the times, we have reported about WordPress vulnerabilities involving vulnerable plugins, but this time security researchers have discovered Brute Force Amplification attacks on the most popular CMS (content management system) platform. Researchers from security firm Sucuri have found a way to perform Brute Force amplification attacks against WordPress' built-in XML-RPC feature to crack down administrator credentials. XML-RPC is one of the simplest protocols for securely exchanging data between computers across the Internet. It uses the system.multicall method that allows an application to execute multiple commands within one HTTP request. A number of CMS including WordPress and Drupal support XML-RPC. But… The same method has been abused to amplify their Brute Force attacks many times over by attempting hundreds of passwords within just one HTTP request, without been detected. Amplified Brute-Force Attacks This means instead of trying tho
Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

September 18, 2015Khyati Jain
A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild. WordPress , a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale. Researchers at Sucuri Labs have detected a “ Malware Campaign ” with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey. The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites. The Security researchers call this malware attack as “ VisitorTracker ”, as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals. This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and nu
WordPress Vulnerability Puts Millions of Websites At Risk

WordPress Vulnerability Puts Millions of Websites At Risk

May 07, 2015Swati Khandelwal
Millions of WordPress websites are at risks of being completely hijacked by the hackers due to a critical cross-site scripting (XSS) vulnerability present in the default installation of the widely used content management system. The cross-site scripting (XSS) vulnerability, uncovered by the security researcher reported by Robert Abela of Security firm  Netsparker . Wordpress vulnerability resides in Genericons webfont package that is part of default WordPress Twenty Fifteen Theme. Here comes the threat: The XSS vulnerability has been identified as a " DOM-based ," which means the flaw resides in the document object model (DOM) that is responsible for text, images, headers, and links representation in a web browser. The easy-to-exploit DOM-based Cross-Site Scripting (XSS) vulnerability occurred due to an insecure file included with Genericons that allowed the Document Object Model Environment in the victim’s browser to be modified. What’s DOM-Bas
New Dark Web Marketplace Offers Zero-Day Exploits to Hackers

New Dark Web Marketplace Offers Zero-Day Exploits to Hackers

April 18, 2015Mohit Kumar
Hackers have sold secrets of zero-day exploits in the underground Dark Web marketplace such as the Silk Road and its various successors for years, and now a new deep web marketplace has appeared that offers anonymity protection to its sellers. A new Dark Web market , called " TheRealDeal ," has opened up for hackers, which focuses on selling Zero-Day exploits — infiltration codes that took advantage of software vulnerabilities for which the manufacturers have released no official software patch. Yes, THE REAL DEE……..EAL TheRealDeal Market, actually emerged over the last month, makes use of Tor anonymity software and the digital currency Bitcoin in an attempt to hide the identities of its buyers, sellers, and of course its own administrators. TOR , a.k.a The Onion Router , is one of the most well-known Darknets, where it is harder to trace the identity of a user, as it doesn't share your identifying information such as your IP address and physical loc
Own a WordPress Website? ISIS is After You — FBI warns

Own a WordPress Website? ISIS is After You — FBI warns

April 09, 2015Swati Khandelwal
If you run a self-hosted WordPress website, then you must Beware: "ISIS is after you." Yes, you heard right. The United States Federal Bureau of Investigation (FBI) is warning WordPress users to patch vulnerable plugins for the popular content management system before ISIS exploit them to display pro-ISIS messages. According to the FBI, ISIS sympathizers are targeting WordPress sites and the communication platforms of commercial entities, news organizations, federal/state/local governments, religious institutions, foreign governments, and a number of other domestic and international websites. Targets seem to be random: They are not linked to particular name or business. The attackers are sympathizers and supporters of ISIS (also known as ISIL), not actual members of the terrorist organization. They are mostly unskilled people and are not doing much hard work — Just leveraging known WordPress plugin flaws in commonly available hacking tools. These
'Google Analytics by Yoast' WordPress Plugin Patches Critical Vulnerability

'Google Analytics by Yoast' WordPress Plugin Patches Critical Vulnerability

March 21, 2015Wang Wei
Another popular WordPress plugin by Yoast has been found to be vulnerable to a critical flaw that could be exploited by hackers to hijack the affected website. The critical vulnerability actually resides in the highly popular Google Analytics by Yoast plugin, which allows WordPress admins to monitor website traffic by connecting the plugin to their Google Analytics account. The Google Analytics by Yoast WordPress plugin has been downloaded nearly 7 Million times with more than 1 million active installs, which makes the issue rather more serious. A week back, we reported that all the versions of ‘ WordPress SEO by Yoast ’ was vulnerable to Blind SQL Injection web application vulnerability that allowed an attacker to execute arbitrary payload on the victim WordPress site in order to take control of it. However, the Google Analytics by Yoast plugin is vulnerable to persistent cross-site scripting (XSS) vulnerability that allows hackers to execute malicious PHP code on the server, whic
WordPress Plugin Zero-Day Vulnerability Affects Thousands of Sites

WordPress Plugin Zero-Day Vulnerability Affects Thousands of Sites

February 05, 2015Swati Khandelwal
A critical zero-day vulnerability has been discovered in a popular WordPress plugin , called ' FancyBox for WordPress ', which is being used by hundreds of thousands of websites running on the most popular Blogging Platform Wordpress. 0-DAY FLAW EXPLOITED IN THE WILD The security researchers at network security firm Sucuri issued a warning Wednesday about the zero-day vulnerability that is being " actively exploited in the wild " by malicious hackers in order to infect as many as victims. While there are more than 70 million websites on the Internet currently running WordPress  content management system, over half a million websites use ' FancyBox for WordPress ' Plugin, making it one of the popular plugins of Wordpress for displaying images, HTML content and multimedia in a so-called " lightbox " that floats on top of Web pages.. HACKERS INJECT MALWARE INTO WEBSITES The vulnerability allows attackers to inject a malicious iframe
Millions of WordPress and Drupal Websites Vulnerable to DoS Attack

Millions of WordPress and Drupal Websites Vulnerable to DoS Attack

August 07, 2014Mohit Kumar
Users running the website on a self-hosted WordPress or on Drupal are strongly recommended to update their websites to the latest version immediately. A moderately critical vulnerability was discovered in the way Drupal and WordPress implement XMLRPC, which can lead an attacker to disable your website via a method known as Denial of Service (DoS) . VULNERABILITY RESULTS IN DoS ATTACK The latest update of WordPress 3.9.2 mainly addresses an issue in the PHP’s XML processor that could be exploited to trigger a DoS (denial of service) attack . The vulnerability affects all previous versions of WordPress. The XML vulnerability was first reported by Nir Goldshlager , a security researcher from Salesforce.com's product security team, that impacts both the popular website platforms. The issue was later fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. ATTACK MAKES YOUR WEBSITE COMPLETELY INACCES
50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

July 24, 2014Wang Wei
The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately. A serious vulnerability in the WordPress plugin, MailPoet , could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication. MailPoet, formerly known as Wysija Newsletter , is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system. In a blog post, the security researcher and CEO of the security firm Sucuri , Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulner
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.