WordPress News Articles

Attackers actively exploit critical zero-day in Alone WordPress Theme

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the 'Alone WordPress theme to hijack sites.

3 days ago

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Critical WordPress flaw CVE-2025-5394 lets attackers take over sites using the "Alone" theme. 120K+ attempts blocked.

3 days ago

WordPress Theme RCE Flaw Actively Exploited to Seize Full Site Control

The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.

4 days ago

WordPress Theme Security Vulnerability Enables to Execute Arbitrary Code Remotely

A critical security vulnerability has been discovered in the popular "Alone" WordPress theme that allows unauthenticated attackers to execute arbitrary code.

4 days ago

CVE-2025-34085 Element Engage Simple File List Plugin ee-upload-engine.php unrestricted upload

A vulnerability was found in Element Engage Simple File List Plugin up to 4.2.2 on WordPress. It has been classified as critical. This vulnerability is traded as CVE-2025-34085. It is recommended to upgrade the affected component.

4 weeks ago

CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayamak - Live Threat Intelligence - Threat Radar | OffSeq.com

Detailed information about CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayama

1 month ago

Forminator plugin flaw exposes WordPress sites to takeover attacks

The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.

Vulnerabilities | INCIBE-CERT | INCIBE

CVE-2025-5540 Publication date: 26/06/2025 The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored...

WordPress Motors theme flaw mass-exploited to hijack admin accounts

Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme

Vulnerabilidades | INCIBE-CERT | INCIBE

CVE-2025-4413 Fecha de publicación: 18/06/2025 *** Pendiente de traducción *** The Pixabay Images plugin for WordPress is...

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

CVE-2025-47577 flaw in TI WooCommerce Wishlist lets unauthenticated attackers upload malicious files—no patch yet, 100K+ sites at risk.

Wordpress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack

CVE-2025-47577 in TI WooCommerce Wishlist plugin lets attackers upload files unauthenticated, risking 100K+ WordPress sites (CVSS 10).

Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322) - Help Net Security

A vulnerability (CVE-2025-4322) in the Motors Wordpress theme can be easily exploited by unauthenticated attackers to take over accounts.

Premium WordPress 'Motors' theme vulnerable to admin takeover attacks

A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites.

CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk 

WordPress Eventin Plugin Vulnerability has put over 10,000 websites at serious risk. Patch now: 4.0.27. Checkout the recommendation actions.

CVE-2024-1071 Description, Impact and Technical Details

CVE-2024-1071 is a vulnerability affecting the Ultimate Member plugin used in WordPress versions 2.1.3 to 2.8.2. An SQL Injection flaw is present, all…

CVE-2025-2563 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-2563 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

CVE-2025-3776: Remote Code Execution Vulnerability in WordPress TargetSMS Plugin - Cybersecurity Exploit Tracker by Ameeba

Overview The world of cybersecurity is an ever-evolving landscape, with new threats constantly emerging. One such threat that has recently been identified and categorized under the Common Vulnerabilities and Exposures (CVE) system is CVE-2025-3776. This vulnerability affects the WordPress plugin, Ve...

Critical CVE-2025-2636 Vulnerability In InstaWP Connect Plugin

Moroccan authorities warn of a critical vulnerability in the InstaWP Connect plugin for WordPress (CVE-2025-2636).

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A critical OttoKit plugin flaw CVE-2025-3102 exploited within hours lets attackers create admin accounts unchecked.

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin

ValvePress has released security updates to address a critical vulnerability (CVE-2024-27956) impacting WordPress Automatic plugin. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score...

CVE-2025-2294 - Kubio AI Page Builder for WordPress Local File Inclusion Vulnerability

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

CVE-2025-2294 ExtendThemes Kubio AI Page Builder Plugin file inclusion

A vulnerability was found in ExtendThemes Kubio AI Page Builder Plugin up to 2.5.1 on WordPress and classified as critical. The identification of this vulnerability is CVE-2025-2294.

CVE-2025-2563 User Registration & Membership Plugin prepare_members_data improper authentication

A vulnerability, which was classified as critical, has been found in User Registration & Membership Plugin up to 4.1.1 on WordPress. The identification of this vulnerability is CVE-2025-2563.

CVE-2024-11613 Description, Impact and Technical Details

CVE-2024-11613 is a critical vulnerability affecting the WordPress File Upload plugin. The issue lies in the 'wfu_file_downloader.php' file, where the…

Wordpress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks

A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks. 

Fix CVE-2025-0180: WP Foodbakery Security Guide

Learn how to protect your WordPress site from the critical CVE-2025-0180 vulnerability in WP Foodbakery plugin. Step-by-step security guide for admins.

W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks

A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data

A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress, affecting all versions up to and including 2.8.1.

WordPress Plugin Security Update Advisory (CVE-2024-11613) - ASEC

Overview We have released a security update to address a vulnerability in the WordPress File Upload plugin. Users of affected products are advised to update to the latest version.   Affected Products  CVE-2024-11613 WordPress File Upload Version: ~4.24.15 (inclusive)     Resolved Vulnerabilities Rem...

Wordpress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks

A critical vulnerability has been identified in the popular UpdraftPlus: WP Backup & Migration Plugin, potentially impacting over 3 million WordPress websites.

CERT-In Sounds Alarm On WPForms Plugin Exploit: Update Now

The vulnerability, present in WPForms plugin versions, stems from a missing authorization check in the wpforms_is_admin_page function.

RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend

A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML) Twig template engine.

Critical WordPress plugin vulnerability under active exploit threatens thousands

Vulnerability with severity rating of 9.8 out of possible 10 still live on >8,000 sites.

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

Attackers exploit Hunk Companion vulnerability (CVE-2024-11972) to install flawed plugins, enabling RCE attacks on 10,000+ WordPress sites. Patch imme

Hunk Companion WordPress plugin exploited to install vulnerable plugins

Hackers are exploiting a critical vulnerability in the

WPForms bug allows Stripe refunds on millions of WordPress sites

A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.

CVE-2024-11205 Vulnerability Impacts 6M WordPress Sites

CVE-2024-11205 exposes WPForms to unauthorized Stripe refunds and subscription cancellations.

Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Two vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin allowed attackers to execute arbitrary code remotely.

CVE-2024-10924, authentication bypass vulnerability in WordPress

Vulnerability CVE-2024-10924 in the Really Simple Security plugin allows an attacker to log onto a WordPress site with administrator rights.

Vulnerability in WP Time Capsule Plugin (CVE-2024-8856) - OP INNOVATE

Critical vulnerability in WP Time Capsule plugin (CVE-2024-8856) allows unauthenticated file uploads, risking full site takeover; update to version 1.22.22 immediately to mitigate threats.

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

Critical vulnerability (CVE-2024-10924) in Really Simple Security plugin allows attackers admin access to WordPress sites. Over 4 million affected.

Really Simple Security - CVE-2024-10924

Start It’s been almost a year since my last blog post—time really flies! But today, I stumbled upon something that pulled me back to the keyboard: Wordfence just reported a critical vulnerability in the Really Simple Security (Slugs: really-simple-ssl , really-simple-ssl-pro, really-simple-ssl-pro-...

Critical WPLMS WordPress Theme Bug Puts Websites At Risk Of RCE

A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal

Path Traversal Vulnerability In WPLMS WordPress Theme Exposes Websites To RCE  - Cyble

A vulnerability in the WPLMS WordPress theme can put websites at risk of Remote Code Execution.

CVE-2024-9895 Description, Impact and Technical Details

CVE-2024-9895 identifies a vulnerability in the Smart Online Order for Clover plugin for WordPress, affecting all versions up to and including 1.5.7. …

Popular WordPress Caching Plugin Had a Major XSS Vulnerability

The WordPress Caching Plugin had three major XSS vulnerabilities, which have now been fixed by Patchstack. Here's more about it.