The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: hack wordpress

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress

Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress
April 23, 2019Swati Khandelwal
Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog. Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978 . Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code. However, the same day when Soc

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites

New WordPress Flaw Lets Unauthenticated Remote Attackers Hack Sites
March 14, 2019Swati Khandelwal
If for some reason your WordPress-based website has not yet been automatically updated to the latest version 5.1.1, it's highly recommended to immediately upgrade it before hackers could take advantage of a newly disclosed vulnerability to hack your website. Simon Scannell, a researcher at RIPS Technologies GmbH, who previously reported multiple critical vulnerabilities in WordPress, has once again discovered a new flaw in the content management software (CMS) that could potentially lead to remote code execution attacks. The flaw stems from a cross-site request forgery (CSRF) issue in the Wordpress' comment section, one of its core components that comes enabled by default and affects all WordPress installations prior to version 5.1.1. Unlike most of the previous attacks documented against WordPress, this new exploit allows even an "unauthenticated, remote attacker" to compromise and gain remote code execution on the vulnerable WordPress websites. "

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years
February 19, 2019Swati Khandelwal
Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it's a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately. Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years. The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an "author" account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core. The requirement of at least an author account reduces the severity of this vulnerability to some extent, which could be exploited by a rogue content contributor or an attacker w

Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now

Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now
November 15, 2018Mohit Kumar
A security researcher has disclosed details of a critical vulnerability in one of the popular and widely active plugins for WordPress that could allow a low-privileged attacker to inject malicious code on AMP pages of the targeted website. The vulnerable WordPress plugin in question is " AMP for WP – Accelerated Mobile Pages " that lets websites automatically generate valid accelerated mobile pages for their blog posts and other web pages. AMP , stands for Accelerated Mobile Page s , is an open-source technology that has been designed by Google to allow websites build and server faster web pages to mobile visitors. Though I am pretty sure the main version of "The Hacker News" website is enough fast for both desktop and mobile device users, you can also check the AMP version for this specific article here . Out of hundreds of plugins that allows WordPress websites to create Google-optimize AMP pages, "AMP for WP" is the most popular among others

Popular WooCommerce WordPress Plugin Patches Critical Vulnerability

Popular WooCommerce WordPress Plugin Patches Critical Vulnerability
November 07, 2018Swati Khandelwal
If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store. Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the unpatched websites. WooCommerce is one the most popular eCommerce plugins for WordPress that helps websites to upgrade their standard blog to a powerful online store. WooCommerce powers nearly 35% of e-stores on the internet, with more than 4 million installations. Exploiting WooCommerce File-Deletion and WordPress Design Flaws The attack demonstrated in the following video takes advantage of the way WordPress handles user privileges and WooCommerce file deletion vulnerability, allowing an account with "Shop Manager" role to eventually reset administrator accounts' pass

New PHP Code Execution Attack Puts WordPress Sites at Risk

New PHP Code Execution Attack Puts WordPress Sites at Risk
August 17, 2018Wang Wei
Sam Thomas, a security researcher from Secarma, has discovered a new exploitation technique that could make it easier for hackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions. The new technique leaves hundreds of thousands of web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3. PHP unserialization or object injection vulnerabilities were initially documented in 2009, which could allow an attacker to perform different kinds of attacks by supplying malicious inputs to the unserialize() PHP function. If you are unaware, serialization is the process of converting data objects into a plain string, and unserialize function help program recreate an object back from a string. Thomas found that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring

Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors

Thousands of Hacked WordPress Sites Abused to Infect Millions of Visitors
September 18, 2015Khyati Jain
A Large number of WordPress websites were compromised in last two weeks with a new malware campaign spotted in the wild. WordPress , a Free and Open source content management system (CMS) and blogging tool, has been once again targeted by hackers at large scale. Researchers at Sucuri Labs have detected a " Malware Campaign " with an aim of getting access to as many devices they can by making innumerable WordPress websites as its prey. The Malware campaign was operational for more than 14 days ago, but it has experienced a massive increase in the spread of infection in last two days, resulted in affecting more than 5000 Wordpress websites. The Security researchers call this malware attack as " VisitorTracker ", as there exists a javascript function named visitorTracker_isMob() in the malicious code designed by cyber criminals. This new campaign seems to be utilizing the Nuclear Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes and nu
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.