WordPress News Articles

PoC released for W3 Total Cache Vulnerability that Exposes 1+ Million Websites to RCE Attacks

A proof-of-concept exploit released for unauthenticated command-injection flaw, affecting W3 Total Cache, puts many websites at high risk.

5 days ago

PoC Released for W3 Total Cache RCE Vulnerability Exposing 1+ Million Websites

The vulnerability stems from an unauthenticated command injection flaw in W3 Total Cache's page-caching mechanism.

5 days ago

PoC Published for W3 Total Cache Flaw Exposing 1M+ Sites to RCE

A PoC exploit for a critical remote code execution vulnerability in W3 Total Cache, one of WordPress's most popular caching plugins.

6 days ago

WordPress Plugin Flaw Exposes Millions to Cyber Threats

Urgent warning for WordPress users: a plugin flaw threatens millions with cyberattacks. Discover how to protect your site from this critical vulnerability now.

1 week ago

Critical vulnerability in the WordPress plugin W3 Total Cache. 430,000 sites at risk!

A critical vulnerability has been discovered in the WordPress plugin W3 Total Cache that allows the execution of arbitrary PHP commands. An urgent update is recommended.

1 week ago

Critical vulnerability in the WordPress plugin W3 Total Cache. 430,000 sites at risk!

A critical vulnerability has been discovered in the WordPress plugin W3 Total Cache that allows the execution of arbitrary PHP commands. An urgent update is recommended.

1 week ago

W3 Total Cache Plugin Exposes Critical PHP Injection Flaw

Critical security alert: W3 Total Cache WordPress plugin exposes PHP command injection vulnerability risking your site’s safety. Act now to protect your data.

1 week ago

New WordPress Vulnerability W3 Total Cache CVE-2025-9501 Alert

Discover the critical W3 Total Cache vulnerability CVE-2025-9501 affecting WordPress sites; learn how to protect your website before it’s too late.

1 week ago

W3 Total Cache WordPress plugin vulnerable to PHP command injection

A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked...

1 week ago

W3 Total Cache WordPress plugin vulnerable to PHP command injection

A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload.

1 week ago

W3 Total Cache CVE-2025-9501 Is The Latest WordPress Flaw

Over 1M WordPress sites using W3 Total Cache are at risk from CVE-2025-9501. Update to 2.8.13 and monitor for malicious activity immediately.

2 weeks ago

Site Takeover Flaw Affects 400K WordPress Sites

Attackers are already targeting a vulnerability in the Post SMTP plug-in that allows them to fully compromise an account and website.

3 weeks ago

Hackers exploit WordPress plugin Post SMTP to hijack admin accounts

Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts.

4 weeks ago

Hackers exploit critical auth bypass flaw in JobMonster WordPress theme

Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions.

4 weeks ago

WordPress security plugin exposes private data to site subscribers

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.

Hackers launch mass attacks exploiting outdated WordPress plugins

A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).

Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit

An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator.

CVE-2025-5947: WordPress Plugin flaw lets hackers access Admin accounts

Threat actors are exploiting a critical flaw, tracked as CVE-2025-5947, in the Service Finder WordPress theme’s Bookings plugin.

Critical Exploit Lets Hackers Bypass Authentication in WordPress Service Finder Theme

Critical WordPress flaw CVE-2025-5947 exploited in 13,800 attacks lets hackers hijack Service Finder sites.

Hackers exploit auth bypass in Service Finder WordPress theme

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme that allows them to bypass authentication and log in as administrators.

Critical Vulnerability in WordPress Theme

Bearsthemes has released a patch addressing a critical vulnerability in a WordPress Theme, Alone. Users and administrators of affected products are advised...

CTIX FLASH Update - August 1, 2025

The financially motivated threat group UNC2891, also known as LightBasin, launched a covert hybrid attack on a bank’s ATM infrastructure by…

Attackers actively exploit critical zero-day in Alone WordPress Theme

Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the 'Alone WordPress theme to hijack sites.

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Critical WordPress flaw CVE-2025-5394 lets attackers take over sites using the "Alone" theme. 120K+ attempts blocked.

WordPress Theme RCE Flaw Actively Exploited to Seize Full Site Control

The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.

WordPress Theme Security Vulnerability Enables to Execute Arbitrary Code Remotely

A critical security vulnerability has been discovered in the popular "Alone" WordPress theme that allows unauthenticated attackers to execute arbitrary code.

CVE-2025-34085 Element Engage Simple File List Plugin ee-upload-engine.php unrestricted upload

A vulnerability was found in Element Engage Simple File List Plugin up to 4.2.2 on WordPress. It has been classified as critical. This vulnerability is traded as CVE-2025-34085. It is recommended to upgrade the affected component.

CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayamak - Live Threat Intelligence - Threat Radar | OffSeq.com

Detailed information about CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayama

Forminator plugin flaw exposes WordPress sites to takeover attacks

The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.

Vulnerabilities | INCIBE-CERT | INCIBE

CVE-2025-5540 Publication date: 26/06/2025 The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored...

WordPress Motors theme flaw mass-exploited to hijack admin accounts

Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme

Vulnerabilidades | INCIBE-CERT | INCIBE

CVE-2025-4413 Fecha de publicación: 18/06/2025 *** Pendiente de traducción *** The Pixabay Images plugin for WordPress is...

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

CVE-2025-47577 flaw in TI WooCommerce Wishlist lets unauthenticated attackers upload malicious files—no patch yet, 100K+ sites at risk.

Wordpress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack

CVE-2025-47577 in TI WooCommerce Wishlist plugin lets attackers upload files unauthenticated, risking 100K+ WordPress sites (CVSS 10).

Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322) - Help Net Security

A vulnerability (CVE-2025-4322) in the Motors Wordpress theme can be easily exploited by unauthenticated attackers to take over accounts.

Premium WordPress 'Motors' theme vulnerable to admin takeover attacks

A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites.

CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk 

WordPress Eventin Plugin Vulnerability has put over 10,000 websites at serious risk. Patch now: 4.0.27. Checkout the recommendation actions.

CVE-2024-1071 Description, Impact and Technical Details

CVE-2024-1071 is a vulnerability affecting the Ultimate Member plugin used in WordPress versions 2.1.3 to 2.8.2. An SQL Injection flaw is present, all…

CVE-2025-2563 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-2563 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

CVE-2025-3776: Remote Code Execution Vulnerability in WordPress TargetSMS Plugin - Cybersecurity Exploit Tracker by Ameeba

Overview The world of cybersecurity is an ever-evolving landscape, with new threats constantly emerging. One such threat that has recently been identified and categorized under the Common Vulnerabilities and Exposures (CVE) system is CVE-2025-3776. This vulnerability affects the WordPress plugin, Ve...

Critical CVE-2025-2636 Vulnerability In InstaWP Connect Plugin

Moroccan authorities warn of a critical vulnerability in the InstaWP Connect plugin for WordPress (CVE-2025-2636).

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A critical OttoKit plugin flaw CVE-2025-3102 exploited within hours lets attackers create admin accounts unchecked.

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin

ValvePress has released security updates to address a critical vulnerability (CVE-2024-27956) impacting WordPress Automatic plugin. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score...

CVE-2025-2294 - Kubio AI Page Builder for WordPress Local File Inclusion Vulnerability

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

CVE-2025-2294 ExtendThemes Kubio AI Page Builder Plugin file inclusion

A vulnerability was found in ExtendThemes Kubio AI Page Builder Plugin up to 2.5.1 on WordPress and classified as critical. The identification of this vulnerability is CVE-2025-2294.

CVE-2025-2563 User Registration & Membership Plugin prepare_members_data improper authentication

A vulnerability, which was classified as critical, has been found in User Registration & Membership Plugin up to 4.1.1 on WordPress. The identification of this vulnerability is CVE-2025-2563.

CVE-2024-11613 Description, Impact and Technical Details

CVE-2024-11613 is a critical vulnerability affecting the WordPress File Upload plugin. The issue lies in the 'wfu_file_downloader.php' file, where the…