-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Search results for WordPress plugin backdoor | Breaking Cybersecurity News | The Hacker News

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

Dec 20, 2017
Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors. One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor. In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store. While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication. The plugin was configured to automatically pull an updated "backdoored" version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installati...
Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Apr 24, 2023 Server Security / WordPress
Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri  revealed  in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users to insert PHP code pages and posts of WordPress sites that's then executed every time the posts are opened in a web browser. While  Eval PHP  has never received an update in 11 years, statistics gathered by WordPress show that it's installed on over 8,000 websites, with the number of downloads skyrocketing from one or two on average since September 2022 to 6,988 on March 30, 2023. On April 23, 2023, alone, it was downloaded 2,140 times. The plugin has racked up 23,110 downloads over the past seven days. GoDaddy-owned Sucuri said it observed some infected websites' databases injected with malicious code into the  "wp_posts" table , which stores a site's  pos...
50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

50,000 Websites Hacked Through MailPoet WordPress Plugin Vulnerability

Jul 24, 2014
The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately. A serious vulnerability in the WordPress plugin, MailPoet , could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication. MailPoet, formerly known as Wysija Newsletter , is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system. In a blog post, the security researcher and CEO of the security firm Sucuri , Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulner...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
Vulnerability in WPTouch WordPress Plugin Allows Hackers to Upload PHP backdoors

Vulnerability in WPTouch WordPress Plugin Allows Hackers to Upload PHP backdoors

Jul 15, 2014
If you own a mobile version for your Wordpress website using the popular WPtouch plugin, then you may expose to a critical vulnerability that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges. WordPress is a free and an open source blogging tool as well as a content management system (CMS) with 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs. That is why, it is easy to setup and used by more than 73 million of websites across the world, and about 5.7 million them uses WPtouch plugin, making it one of the most popular plugins in the WordPress plugin directory. WPtouch is a mobile plugin that automatically enables a user friendly and elegant mobile theme for rendering your WordPress website contents on the mobile devices. User can easily customize many aspects of its appearance by the adm...
Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

Apr 10, 2026 Malware / Website Security
Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro editions. "An unauthorized party gained access to Nextend’s update infrastructure and distributed a fully attacker-authored build through the official update channel," the company said . "Any site that updated to 3.5.1.35 between its release on April 7, 2026, and its detection approximately 6 hours later received a fully weaponized remote access toolkit." Nextend, which maintains the plugin, said an unauthorized party gained unauthorized access to its update system and pushed a malicious version (3.5.1.35 Pro) that remained accessible for approximately six hours, before ...
Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

Vulnerabilities in 'All in One SEO Pack' Wordpress Plugin Put Millions of Sites At Risk

May 31, 2014
Multiple Serious vulnerabilities have been discovered in the most famous ‘ All In One SEO Pack ’ plugin for WordPress, that put millions of Wordpress websites at risk. WordPress is easy to setup and use, that’s why large number of people like it. But if you or your company is using ‘ All in One SEO Pack ’ Wordpress plugin to optimize the website ranking in search engines, then you should update your SEO plugin immediately to the latest version of All in One SEO Pack 2.1.6 . Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service. More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization. Acco...
Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites

Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites

Jun 02, 2021
Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that's being actively exploited in the wild to upload malware onto sites that have the plugin installed. Wordfence's threat intelligence team, which discovered the flaw, said it reported the issue to the plugin's developer on May 31. While the flaw has been acknowledged, it's yet to be addressed. Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products. "Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed," Wordfence...
Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

Jan 22, 2022
In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations. "The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, said in a  report  published this week. "The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory." The vulnerability has been assigned the identifier  CVE-2021-24867 . Website security platform Sucuri, in a separate analysis,  said  some of the infected websit...
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More

⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More

Jun 22, 2026 Cybersecurity / Hacking
It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control. The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective. Here’s the Monday recap. Let’s get into the week’s mess. ⚡ Threat of the Week FortiBleed Campaign Identifies Over 80K Targets — A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around...
Researchers Find Backdoor in School Management Plugin for WordPress

Researchers Find Backdoor in School Management Plugin for WordPress

May 21, 2022
Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier  CVE-2022-1609  and is rated 10 out of 10 for severity. The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen  said  in a Friday write-up. School Management, developed by an India-based company called  Weblizar , is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins. The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of t...
Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023

Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023

Oct 11, 2023 Website Security / Hacking
More than 17,000 WordPress websites have been compromised in the month of September 2023 with a malware known as  Balada Injector , nearly twice the number of detections in August. Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin ( CVE-2023-3169 , CVSS score: 6.1) that could be  exploited  by unauthenticated users to perform stored cross-site scripting ( XSS ) attacks. "This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv's premium themes," Sucuri security researcher Denis Sinegubko  said . "One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused." Balada Injector is a large-scale operation  first discovered  by Doctor Web in December 2022, wherein the threat act...
Website Backdoor Scripts Leverage the Pastebin Service

Website Backdoor Scripts Leverage the Pastebin Service

Jan 08, 2015
The popular copy and paste website ' Pastebin ' created a decade ago for software developers and even by hackers groups to share source code, dumps and stolen data, has more recently been leveraged by cyber criminals to target millions of users. Compromising a website and then hosting malware on it has become an old tactic for hackers, and now they are trying their hands in compromising vast majority of users in a single stroke. Researchers have discovered that hackers are now using Pastebin to spread malicious backdoor code. According to a blog post published yesterday by a senior malware researcher at Sucuri , Denis Sinegubko, the hackers are leveraging the weakness in older versions of the RevSlider , a popular and a premium WordPress plugin. The plugin comes packaged and bundled into the websites’ themes in such a way that many website owners don't even know they have it. In order to exploit the vulnerability, first hackers look for a RevSlider plugin i...
Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

Jun 15, 2026 Web Security / Supply Chain Attack
An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage , OptinMonster , and TrustPulse , turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker's control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it. Any site that was hit should be treated as compromised. All three plugins are run by one company, Awesome Motive, which had not commented on the two larger plugins as of June 15. Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins. PushEngage followed a day later with its own incident notice , confirming an attacker had served tampered copies of its script and that sites loading them could be taken over. PushEngage, acquired by Awesome Motive years ago, is so far the only one of the three to ...
Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Jan 15, 2024 Website Security / Vulnerability
Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called  Balada Injector . First  documented  by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws in WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams. Subsequent  findings  unearthed by Sucuri have revealed the  massive scale of the operation , which is said to have been active since 2017 and infiltrated no less than 1 million sites since then. The GoDaddy-owned website security company, which  detected  the latest Balada Injector activity on December 13, 2023, said it identified the injections on  over 7,100 sites . These attacks take advantage of a high-severity flaw in Popup Builder ( CVE-2023-6000 , CVSS score: 8.8) – a plugin with...
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack

Jun 22, 2026 Supply Chain Attack / Malware
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis published last week. The incident affects the following plugins - Product Slider Pro for WooCommerce (versions before 3.5.4) Real Testimonials Pro (version 3.2.5) Smart Post Show Pro (versions before 4.0.2) As mentioned above, it's worth emphasizing that the compromise only affects Pro plugin builds distributed through the vendor's Easy Digital Downloads (EDD) infrastructure via account.shapedplugin[.]com. The free versions of the plugins on WordPress.org are not impacted. The supply chain compromise associated with Product Slider Pro for WooCommerce has...
Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities

Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities

May 30, 2024 WordPress / Website Security
Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. "These vulnerabilities are found in various WordPress plugins and are prone to unauthenticated stored cross-site scripting (XSS) attacks due to inadequate input sanitization and output escaping, making it possible for attackers to inject malicious scripts," Fastly researchers Simran Khalsa, Xavier Stevens, and Matthew Mathur said . The security flaws in question are listed below - CVE-2023-6961 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Meta SEO <= 4.5.12 CVE-2023-40000 (CVSS score: 8.3) - Unauthenticated Stored Cross-Site Scripting in LiteSpeed Cache <= 5.7 CVE-2024-2194 (CVSS score: 7.2) - Unauthenticated Stored Cross-Site Scripting in WP Statistics <= 14.5 Attack chains exploiting the flaws involve inject...
WebARX — A Defensive Core For Your Website

WebARX — A Defensive Core For Your Website

Sep 12, 2019
Estonian based web security startup WebARX, the company who is also behind open-source plugin vulnerability scanner WPBullet and soon-to-be-released bug bounty platform plugbounty.com , has a big vision for a safer web. It built a defensive core for websites which is embedded deep inside the company's DNA as even ARX in their name refers to the citadel (the core fortified area of a town or city) in Latin. WebARX—web application security platform—allows web developers and digital agencies to get advanced website security integrated with every site and makes it more effective and less time-consuming to manage security across multiple websites. You can find reviews such as "WebARX - the Swiss army knife that secures my websites!", "The security software that I use every day," "Many Promise - WebARX Delivers" from their Trustpilot page, so where is all that coming from? Serious Team With A Unique Focus WebARX is solving a very specific probl...
Researchers Uncover Malware Posing as WordPress Caching Plugin

Researchers Uncover Malware Posing as WordPress Caching Plugin

Oct 12, 2023 Website Security / WordPress
Cybersecurity researchers have shed light on a new sophisticated strain of malware that masquerades as a WordPress plugin to stealthily create administrator accounts and remotely control a compromised site. "Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities," Wordfence  said . The plugin also offers the ability to activate and deactivate arbitrary plugins on the site remotely as well as create rogue admin accounts with the username superadmin and a hard-coded password. In what's seen as an attempt to erase traces of compromise, it features a function named "_pln_cmd_hide" that's designed to remove the superadmin account when it's no longer req...
Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk!

Apr 01, 2023 Web Security / Cyber Threat
Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the Tel Aviv-based company  said  in its release notes. The premium plugin is  estimated  to be used on over 12 million sites. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. "This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack  said  in an alert of March 30, 2023. "After this, they are like...
Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access

Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access

Jul 24, 2025 Cybersecurity / Web Security
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. Must-use plugins (aka mu-plugins) are special plugins that are automatically activated on all WordPress sites in the installation. They are located in the "wp-content/mu-plugins" directory by default. What makes them an attractive option for attackers is that mu-plugins do not show in the default list of plugins on the Plugins page of wp-admin and cannot be disabled except by removing the plugin file from the must-use directory. As a result, a piece of malware that leverages this technique allows it to function quietly, without raising any red flags. In the infection spotted by web security company Sucuri, the PHP script in the mu-plugins directory ("wp-index.php") serves as a loader to fetch a next-stage payload and save it in the WordPr...
Expert Insights Articles Videos
Cybersecurity Resources