WordPress News Articles

CVE-2024-1071 Description, Impact and Technical Details

CVE-2024-1071 is a vulnerability affecting the Ultimate Member plugin used in WordPress versions 2.1.3 to 2.8.2. An SQL Injection flaw is present, all…

5 days ago

CVE-2025-2563 Impact, Exploitability, and Mitigation Steps | Wiz

Understand the critical aspects of CVE-2025-2563 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

1 week ago

CVE-2025-3776: Remote Code Execution Vulnerability in WordPress TargetSMS Plugin - Cybersecurity Exploit Tracker by Ameeba

Overview The world of cybersecurity is an ever-evolving landscape, with new threats constantly emerging. One such threat that has recently been identified and categorized under the Common Vulnerabilities and Exposures (CVE) system is CVE-2025-3776. This vulnerability affects the WordPress plugin, Ve...

2 weeks ago

Critical CVE-2025-2636 Vulnerability In InstaWP Connect Plugin

Moroccan authorities warn of a critical vulnerability in the InstaWP Connect plugin for WordPress (CVE-2025-2636).

4 weeks ago

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation

A critical OttoKit plugin flaw CVE-2025-3102 exploited within hours lets attackers create admin accounts unchecked.

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin

ValvePress has released security updates to address a critical vulnerability (CVE-2024-27956) impacting WordPress Automatic plugin. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score...

CVE-2025-2294 - Kubio AI Page Builder for WordPress Local File Inclusion Vulnerability

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

CVE-2025-2294 ExtendThemes Kubio AI Page Builder Plugin file inclusion

A vulnerability was found in ExtendThemes Kubio AI Page Builder Plugin up to 2.5.1 on WordPress and classified as critical. The identification of this vulnerability is CVE-2025-2294.

CVE-2025-2563 User Registration & Membership Plugin prepare_members_data improper authentication

A vulnerability, which was classified as critical, has been found in User Registration & Membership Plugin up to 4.1.1 on WordPress. The identification of this vulnerability is CVE-2025-2563.

CVE-2024-11613 Description, Impact and Technical Details

CVE-2024-11613 is a critical vulnerability affecting the WordPress File Upload plugin. The issue lies in the 'wfu_file_downloader.php' file, where the…

Wordpress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks

A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks. 

Fix CVE-2025-0180: WP Foodbakery Security Guide

Learn how to protect your WordPress site from the critical CVE-2025-0180 vulnerability in WP Foodbakery plugin. Step-by-step security guide for admins.

W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks

A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data

A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress, affecting all versions up to and including 2.8.1.

WordPress Plugin Security Update Advisory (CVE-2024-11613) - ASEC

Overview We have released a security update to address a vulnerability in the WordPress File Upload plugin. Users of affected products are advised to update to the latest version.   Affected Products  CVE-2024-11613 WordPress File Upload Version: ~4.24.15 (inclusive)     Resolved Vulnerabilities Rem...

Wordpress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks

A critical vulnerability has been identified in the popular UpdraftPlus: WP Backup & Migration Plugin, potentially impacting over 3 million WordPress websites.

CERT-In Sounds Alarm On WPForms Plugin Exploit: Update Now

The vulnerability, present in WPForms plugin versions, stems from a missing authorization check in the wpforms_is_admin_page function.

RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend

A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML) Twig template engine.

Critical WordPress plugin vulnerability under active exploit threatens thousands

Vulnerability with severity rating of 9.8 out of possible 10 still live on >8,000 sites.

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

Attackers exploit Hunk Companion vulnerability (CVE-2024-11972) to install flawed plugins, enabling RCE attacks on 10,000+ WordPress sites. Patch imme

Hunk Companion WordPress plugin exploited to install vulnerable plugins

Hackers are exploiting a critical vulnerability in the

WPForms bug allows Stripe refunds on millions of WordPress sites

A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.

CVE-2024-11205 Vulnerability Impacts 6M WordPress Sites

CVE-2024-11205 exposes WPForms to unauthorized Stripe refunds and subscription cancellations.

Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites

Two vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin allowed attackers to execute arbitrary code remotely.

CVE-2024-10924, authentication bypass vulnerability in WordPress

Vulnerability CVE-2024-10924 in the Really Simple Security plugin allows an attacker to log onto a WordPress site with administrator rights.

Vulnerability in WP Time Capsule Plugin (CVE-2024-8856) - OP INNOVATE

Critical vulnerability in WP Time Capsule plugin (CVE-2024-8856) allows unauthenticated file uploads, risking full site takeover; update to version 1.22.22 immediately to mitigate threats.

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

Critical vulnerability (CVE-2024-10924) in Really Simple Security plugin allows attackers admin access to WordPress sites. Over 4 million affected.

Really Simple Security - CVE-2024-10924

Start It’s been almost a year since my last blog post—time really flies! But today, I stumbled upon something that pulled me back to the keyboard: Wordfence just reported a critical vulnerability in the Really Simple Security (Slugs: really-simple-ssl , really-simple-ssl-pro, really-simple-ssl-pro-...

Critical WPLMS WordPress Theme Bug Puts Websites At Risk Of RCE

A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal

Path Traversal Vulnerability In WPLMS WordPress Theme Exposes Websites To RCE  - Cyble

A vulnerability in the WPLMS WordPress theme can put websites at risk of Remote Code Execution.

CVE-2024-9895 Description, Impact and Technical Details

CVE-2024-9895 identifies a vulnerability in the Smart Online Order for Clover plugin for WordPress, affecting all versions up to and including 1.5.7. …

Popular WordPress Caching Plugin Had a Major XSS Vulnerability

The WordPress Caching Plugin had three major XSS vulnerabilities, which have now been fixed by Patchstack. Here's more about it.

Single HTTP Request Can Exploit 6M WordPress Sites

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Examining the Vulnerabilities in WordPress Plugins – Be3

A recent discovery has unveiled a significant security vulnerability in the LiteSpeed Cache plugin for WordPress, allowing the execution of arbitrary JavaScript code by potential cyber threats. The...

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

LiteSpeed Cache plugin vulnerability (CVE-2024-47374) exposes WordPress sites to XSS attacks. Update to version 6.5.1 now.

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

Urgent security update for WPML WordPress plugin: Critical flaw allows remote code execution.

Unauthenticated RCE in WordPress Plugin Exposes 100,000 Sites

RCE in WordPress Plugin exposes over 100,000 WordPress sites to potential remote code execution (RCE) attacks.

Remote Code Execution Vulnerability Patched in WPML WordPress Plugin

The popular WordPress Multilingual plugin, WPML, which is installed on over 1,000,000 websites, has patched a Remote Code Execution (RCE) vulnerability (CVE-2024-6386) that researchers have classif…

Code Execution Vulnerability Found in WPML Plugin Installed on 1M WordPress Sites

A critical vulnerability in the WPML WordPress plugin could allow a remote attacker to execute arbitrary code on the server.

Takeovers Likely Across Over 100K WordPress Sites Due to Critical Plugin Bug

SecurityWeek reports that more than 100,000 WordPress websites could be hijacked in intrusions exploiting a maximum severity PHP object injection flaw in the widely used fundraising and donation plugin GiveWP. Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by t...

Takeovers likely across over 100K WordPress sites due to critical plugin bug

Such a vulnerability, tracked as CVE-2024-5932, could be leveraged by threat actors to facilitate PHP object injection and subsequent Property Oriented Programming chain abuse involving the manipulation of deserialized objects for remote code execution and arbitrary file deletion, a report from Defi...

Record Bounty Awarded as Critical Privilege Escalation Vulnerability Patched in LiteSpeed Cache Plugin

The LiteSpeed Cache Plugin, widely used to enhance the speed and performance of WordPress websites, recently patched a critical unauthenticated privilege escalation vulnerability (CVE-2024-28000). …

Kwetsbaarheid van GiveWP WordPress-plug-in brengt meer dan 100.000 websites in gevaar

Er is een zeer ernstig beveiligingslek ontdekt in de WordPress-plug-in GiveWP voor donaties en fondsenwerving. Deze kwetsbaarheid stelt meer dan 100.000 websites bloot aan aanvallen met code-uitvoering op afstand. Het lek, dat wordt getraceerd als CVE-2024-5932 (CVSS-score: 10,0), heeft invloed ... ...

Critical GiveWP Vulnerability (CVE-2024-5932) Fixed

The GiveWP vulnerability allowed Remote Code Execution and file deletion. Users are advised to update to version 3.14.2.

WordPressの人気プラグインに重大な欠陥、1万超のWebサイトに攻撃リスク（CVE-2024-6500） | Codebook｜Security News

WordPressの人気プラグインInPostシリーズに重大な欠陥が判明、1万超のWebサイトが攻撃リスクにさらされる（CVE-2024-6500）｜OpenAI、米国大統領選挙を狙ったイランの影響力行使オペレーションを阻止

LiteSpeed Cache Plugin Flaw Let Attackers Inject Malicious Code, 5M+ Sites Impacted

The popular LiteSpeed Cache plugin for WordPress has been found vulnerable to a CSRF attack, potentially impacting over 5 million websites.

Unpatched critical vulnerabilities WZone WooCommerce Amazon Affiliates

The WooCommerce Amazon Affiliates (WZone) plugin has multiple severe security vulnerabilities, including an authenticated arbitrary option update (CVE-2024-33549), an unauthenticated SQL injection (CVE-2024-33544), and an authenticated SQL injection (CVE-2024-33546), prompting Patchstack to advise u...

WordPress sites targeted for hijacking with LiteSpeed Cache plugin flaw

More than 1.8 million WordPress sites using an old version of the LiteSpeed Cache plugin are at risk of takeovers amid attacks exploiting a high-severity unauthenticated cross-site scripting vulnerability, tracked as CVE-2023-40000, which have been increasing during the past month, according to Blee...