FlagThis

A sophisticated cyberattack has compromised over 10,000 WordPress websites, injecting malicious JavaScript to redirect visitors to fake browser update pages. These pages deliver malware targeting both macOS and Windows systems. The attack exploits vulnerabilities in outdated WordPress versions and plugins, resulting in a large scale cross platform malware distribution campaign. The malware campaign uses techniques like iframe injection and the distribution of malicious AMOS (Atomic macOS) payload on macOS and some other Windows executable on the Windows platform.

A severe vulnerability in the W3 Total Cache plugin for WordPress has been identified, impacting over one million websites. This flaw enables attackers to gain unauthorized access to sensitive data, including metadata on cloud-based apps. The vulnerability, allowing subscriber-level access, poses a substantial risk to WordPress sites using the plugin, potentially exposing user data and compromising site security.

A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce checkout pages. The malware injects malicious JavaScript code directly into the database tables, evading traditional detection methods. This allows attackers to steal sensitive payment information, highlighting the need for robust security practices, including database monitoring and regular security audits to protect against such advanced threats.

Critical security vulnerabilities have been found in the Fancy Product Designer plugin for WordPress. These unpatched flaws in the plugin allow for system compromise, data exposure, and service disruption. The plugin, with over 20,000 sales, is now a major security risk for WordPress websites. Users must take immediate action to mitigate these vulnerabilities, highlighting the need for thorough security practices on WordPress.

A critical vulnerability in the UpdraftPlus WordPress plugin has exposed over 3 million websites to unauthenticated PHP object injection attacks. This vulnerability allows attackers to inject malicious code, potentially leading to complete site compromise. The issue highlights the severe risks associated with vulnerable plugins in popular CMS platforms and the importance of regular updates.

A critical vulnerability, CVE-2024-11205, has been discovered in the WPForms plugin for WordPress, affecting versions 1.8.4 through 1.9.2.1. This vulnerability stems from a missing authorization check in the wpforms_is_admin_page function, allowing attackers with Subscriber-level privileges to perform unauthorized actions such as refunding payments and canceling subscriptions. This flaw has the potential to cause significant financial losses and service disruptions for website owners using the plugin. A fix is available in version 9.1.2.2 or later. Website administrators should review user permissions, enable 2FA, monitor site activity, and back up regularly to mitigate risks. This vulnerability highlights the importance of proactive security measures and staying informed about software updates.

A critical vulnerability, CVE-2024-11972, has been discovered in the Hunk Companion WordPress plugin, affecting versions below 1.9.0. This flaw allows malicious actors to install and activate vulnerable plugins on affected sites through unauthenticated POST requests. Attackers can exploit this to backdoor sites. The vulnerability has a CVSS score of 9.8, highlighting its severity. This flaw poses a significant security risk, impacting over 10,000 websites. Site owners are advised to update their plugins immediately.