#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Wordpress plugin vulnerability | Breaking Cybersecurity News | The Hacker News

Critical Bugs Found in 3 Popular e-Learning Plugins for WordPress Sites

Critical Bugs Found in 3 Popular e-Learning Plugins for WordPress Sites
Apr 30, 2020
Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system ( LMS ) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question — LearnPress , LearnDash , and LifterLMS — have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges. "Because of coronavirus, we're doing everything from our homes, including our formal learning," Check Point Research's Omri Herscovici said. "The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms." The three LMS systems are installed on approximately 100,000 different educational platforms, includi

Critical Bug in WordPress Theme Plugin Opens 200,000 Sites to Hackers

Critical Bug in WordPress Theme Plugin Opens 200,000 Sites to Hackers
Feb 17, 2020
A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs. The vulnerable plugin in question is ' ThemeGrill Demo Importer ' that comes with free as well as premium themes sold by the software development company ThemeGrill. ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme. According to a report WebARX security company shared with The Hacker News, when a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin. The flaw could eventually allow unauthenticated remote attackers to wipe the e

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities

How Nation-State Actors Target Your Business: New Research Exposes Major SaaS Vulnerabilities
Feb 15, 2024SaaS Security / Risk Management
With many of the highly publicized 2023 cyber attacks revolving around one or more SaaS applications, SaaS has become a cause for genuine concern in many boardroom discussions. More so than ever, considering that GenAI applications are, in fact, SaaS applications. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023.  Their study reveals  how companies use SaaS today, and the wide variety of threats that result from that usage. This unique analysis provides rare and important insights into the breadth and depth of SaaS-related risks, but also provides practical tips to mitigate them and ensure SaaS can be widely used without compromising security posture.  The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizat

New Flaw in WordPress Live Chat Plugin Lets Hackers Steal and Hijack Sessions

New Flaw in WordPress Live Chat Plugin Lets Hackers Steal and Hijack Sessions
Jun 11, 2019
Security researchers have been warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions. The vulnerability, identified as CVE-2019-12498, resides in the "WP Live Chat Support" that is currently being used by over 50,000 businesses to provide customer support and chat with visitors through their websites. Discovered by cybersecurity researchers at Alert Logic , the flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints. As described by researchers, a potential remote attacker can exploit exposed endpoints for malicious purposes, including: stealing the entire chat history for all chat sessions, modifying or deleting the chat history, injecting messages into an active chat session, posing as a custome

Are You Vulnerable to Third-Party Breaches Through Interconnected SaaS Apps?

cyber security
websiteWing SecuritySaaS Security / Risk Management
Protect against cascading risks by identifying and mitigating app2app and third-party SaaS vulnerabilities.

Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now

Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now
Nov 15, 2018
A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website. The vulnerable WordPress plugin in question is " AMP for WP – Accelerated Mobile Pages " that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages. AMP , stands for Accelerated Mobile Page s , is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors. Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here . Out of hundreds of plugins that allows WordPress websites to create Google-optimize AMP pages, "AMP for WP" is the most popular among others

'Google Analytics by Yoast' WordPress Plugin Patches Critical Vulnerability

'Google Analytics by Yoast' WordPress Plugin Patches Critical Vulnerability
Mar 21, 2015
Another popular WordPress plugin by Yoast has been found to be vulnerable to a critical flaw that could be exploited by hackers to hijack the affected website. The critical vulnerability actually resides in the highly popular Google Analytics by Yoast plugin, which allows WordPress admins to monitor website traffic by connecting the plugin to their Google Analytics account. The Google Analytics by Yoast WordPress plugin has been downloaded nearly 7 Million times with more than 1 million active installs, which makes the issue rather more serious. A week back, we reported that all the versions of ' WordPress SEO by Yoast ' was vulnerable to Blind SQL Injection web application vulnerability that allowed an attacker to execute arbitrary payload on the victim WordPress site in order to take control of it. However, the Google Analytics by Yoast plugin is vulnerable to persistent cross-site scripting (XSS) vulnerability that allows hackers to execute malicious PHP code on the server, whic

'WordPress SEO by Yoast' Plugin Vulnerability Affects Millions

'WordPress SEO by Yoast' Plugin Vulnerability Affects Millions
Mar 11, 2015
A critical vulnerability has been discovered in the most popular plugin of the WordPress content management platform (CMS) that puts tens of Millions of websites at risks of being hacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin known as ' WordPress SEO by Yoast ,' which has more than 14 Million downloads according to Yoast website, making it one of the most popular plugins of WordPress for easily optimizing websites for search engines i.e Search engine optimization (SEO). The vulnerability in WordPress SEO by Yoast has been discovered by Ryan Dewhurst , developer of the WordPress vulnerability scanner ' WPScan '. All the versions prior to 1.7.3.3 of 'WordPress SEO by Yoast' are vulnerable to Blind SQL Injection web application flaw, according to an advisory published today. SQL injection (SQLi) vulnerabilities are ranked as critical one because it could cause a database breach and lead to confidential information

WordPress Analytics Plugin Leaves 1.3 Million Sites Vulnerable to Hackers

WordPress Analytics Plugin Leaves 1.3 Million Sites Vulnerable to Hackers
Feb 25, 2015
A critical vulnerability has been discovered in one of the most popular plugins of the the WordPress content management platform that puts more than one Million websites at risks of being completely hijacked by the attackers. The vulnerability actually resides in most versions of a WordPress plugin called Wettable Powder Slimstat (WP-Slimstat) . While there are more than 70 million websites on the Internet currently running WordPress, more than 1.3 Million of them use the 'WP-Slimstat' Plugin , making it one of the popular plugins of WordPress for powerful real-time web analytic. All the WP-Slimstat versions prior to the latest release of Slimstat 3.9.6 contain an easily guessable 'secret' key which is used to sign data sent to and from the visiting end-user computers, explained in a blog post published Tuesday by Web security firm Sucuri. Once the weak 'secret' key is break, an attacker could perform an SQL injection attack against the target website

WordPress Plugin Zero-Day Vulnerability Affects Thousands of Sites

WordPress Plugin Zero-Day Vulnerability Affects Thousands of Sites
Feb 05, 2015
A critical zero-day vulnerability has been discovered in a popular WordPress plugin , called ' FancyBox for WordPress ', which is being used by hundreds of thousands of websites running on the most popular Blogging Platform Wordpress. 0-DAY FLAW EXPLOITED IN THE WILD The security researchers at network security firm Sucuri issued a warning Wednesday about the zero-day vulnerability that is being " actively exploited in the wild " by malicious hackers in order to infect as many as victims. While there are more than 70 million websites on the Internet currently running WordPress  content management system, over half a million websites use ' FancyBox for WordPress ' Plugin, making it one of the popular plugins of Wordpress for displaying images, HTML content and multimedia in a so-called " lightbox " that floats on top of Web pages.. HACKERS INJECT MALWARE INTO WEBSITES The vulnerability allows attackers to inject a malicious iframe

CryptoPHP Backdoor Hijacks Servers with Malicious Plugins & Themes

CryptoPHP Backdoor Hijacks Servers with Malicious Plugins & Themes
Nov 24, 2014
Security researchers have discovered thousands of backdoored plugins and themes for the popular content management systems (CMS) that could be used by attackers to compromise web servers on a large scale. The Netherlands-based security firm Fox-IT has published a whitepaper revealing a new Backdoor named "CryptoPHP . " Security researchers have uncovered malicious plugins and themes for WordPress, Joomla and Drupal . However, there is a slight relief for Drupal users, as only themes are found to be infected from CryptoPHP backdoor. In order to victimize site administrators, miscreants makes use of a simple social engineering trick. They often lured site admins to download pirated versions of commercial CMS plugins and themes for free. Once downloaded, the malicious theme or plugin included backdoor installed on the admins' server. "By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is

50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability
Jul 24, 2014
The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately. A serious vulnerability in the WordPress plugin, MailPoet , could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication. MailPoet, formerly known as Wysija Newsletter , is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system. In a blog post, the security researcher and CEO of the security firm Sucuri , Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulner

Disqus Wordpress Plugin Flaw Leaves Millions of Blogs Vulnerable to Hackers

Disqus Wordpress Plugin Flaw Leaves Millions of Blogs Vulnerable to Hackers
Jun 30, 2014
A Remote code execution (RCE) vulnerability has been discovered in the comment and discussion service, Disqus plugin for the most popular Blogging Platform Wordpress . While there are more than 70 million websites on the Internet currently running WordPress, about 1.3 million of them use the ' Disqus Comment System ' Plugin, making it one of the popular plugins of Wordpress for web comments and discussions. The security team at the security firm Sucuri discovered a critical Remote Code Execution (RCE) flaw while analyzing some custom JSON parser of the Disqus plugin and found that the variable parsing function could allow anyone to execute commands on the server using insecurely coded PHP eval() function. WHO ARE VULNERABLE The Remote Code Execution ( RCE ) Vulnerability could be triggered by a remote attacker, only if it is using following application versions on the server/website. PHP version 5.1.6 or earlier WordPress 3.1.4 or earlier Wordpress Plugin
Cybersecurity Resources