WordPress News Articles
Recent news articles refferecing the vendors vulnerabilities.
Attackers actively exploit critical zero-day in Alone WordPress Theme
Hackers exploit a critical vulnerability, tracked as CVE-2025-5394 (CVSS score of 9.8), in the 'Alone WordPress theme to hijack sites.
3 days ago

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install
Critical WordPress flaw CVE-2025-5394 lets attackers take over sites using the "Alone" theme. 120K+ attempts blocked.
3 days ago

WordPress Theme RCE Flaw Actively Exploited to Seize Full Site Control
The vulnerability, tracked as CVE-2025-5394 with a maximum CVSS severity score of 9.8, allows unauthenticated attackers to achieve complete website takeovers through arbitrary file uploads.
4 days ago

WordPress Theme Security Vulnerability Enables to Execute Arbitrary Code Remotely
A critical security vulnerability has been discovered in the popular "Alone" WordPress theme that allows unauthenticated attackers to execute arbitrary code.
4 days ago

CVE-2025-34085 Element Engage Simple File List Plugin ee-upload-engine.php unrestricted upload
A vulnerability was found in Element Engage Simple File List Plugin up to 4.2.2 on WordPress. It has been classified as critical. This vulnerability is traded as CVE-2025-34085. It is recommended to upgrade the affected component.
4 weeks ago

CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayamak - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about CVE-2025-30940: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in melipayamak Melipayama
1 month ago
Forminator plugin flaw exposes WordPress sites to takeover attacks
The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks.
Vulnerabilities | INCIBE-CERT | INCIBE
CVE-2025-5540 Publication date: 26/06/2025 The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored...
WordPress Motors theme flaw mass-exploited to hijack admin accounts
Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme
Vulnerabilidades | INCIBE-CERT | INCIBE
CVE-2025-4413 Fecha de publicación: 18/06/2025 *** Pendiente de traducción *** The Pixabay Images plugin for WordPress is...

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin
CVE-2025-47577 flaw in TI WooCommerce Wishlist lets unauthenticated attackers upload malicious files—no patch yet, 100K+ sites at risk.

Wordpress TI WooCommerce Wishlist Plugin Vulnerability Exposes 100,000+ Websites To Cyberattack
CVE-2025-47577 in TI WooCommerce Wishlist plugin lets attackers upload files unauthenticated, risking 100K+ WordPress sites (CVSS 10).
Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322) - Help Net Security
A vulnerability (CVE-2025-4322) in the Motors Wordpress theme can be easily exploited by unauthenticated attackers to take over accounts.
Premium WordPress 'Motors' theme vulnerable to admin takeover attacks
A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites.
CVE-2025-47539: Critical Eventin WordPress Plugin Vulnerability Puts 10,000+ Sites at Risk
WordPress Eventin Plugin Vulnerability has put over 10,000 websites at serious risk. Patch now: 4.0.27. Checkout the recommendation actions.
CVE-2024-1071 Description, Impact and Technical Details
CVE-2024-1071 is a vulnerability affecting the Ultimate Member plugin used in WordPress versions 2.1.3 to 2.8.2. An SQL Injection flaw is present, all…

CVE-2025-2563 Impact, Exploitability, and Mitigation Steps | Wiz
Understand the critical aspects of CVE-2025-2563 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

CVE-2025-3776: Remote Code Execution Vulnerability in WordPress TargetSMS Plugin - Cybersecurity Exploit Tracker by Ameeba
Overview The world of cybersecurity is an ever-evolving landscape, with new threats constantly emerging. One such threat that has recently been identified and categorized under the Common Vulnerabilities and Exposures (CVE) system is CVE-2025-3776. This vulnerability affects the WordPress plugin, Ve...

Critical CVE-2025-2636 Vulnerability In InstaWP Connect Plugin
Moroccan authorities warn of a critical vulnerability in the InstaWP Connect plugin for WordPress (CVE-2025-2636).

OttoKit WordPress Plugin Admin Creation Vulnerability Under Active Exploitation
A critical OttoKit plugin flaw CVE-2025-3102 exploited within hours lets attackers create admin accounts unchecked.
CVE-2025-2294
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...
Active Exploitation of Critical Vulnerability in WordPress Automatic Plugin
ValvePress has released security updates to address a critical vulnerability (CVE-2024-27956) impacting WordPress Automatic plugin. This vulnerability has a Common Vulnerability Scoring System (CVSSv3) score...
CVE-2025-2294 - Kubio AI Page Builder for WordPress Local File Inclusion Vulnerability
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the e...

CVE-2025-2294 ExtendThemes Kubio AI Page Builder Plugin file inclusion
A vulnerability was found in ExtendThemes Kubio AI Page Builder Plugin up to 2.5.1 on WordPress and classified as critical. The identification of this vulnerability is CVE-2025-2294.

CVE-2025-2563 User Registration & Membership Plugin prepare_members_data improper authentication
A vulnerability, which was classified as critical, has been found in User Registration & Membership Plugin up to 4.1.1 on WordPress. The identification of this vulnerability is CVE-2025-2563.
CVE-2024-11613 Description, Impact and Technical Details
CVE-2024-11613 is a critical vulnerability affecting the WordPress File Upload plugin. The issue lies in the 'wfu_file_downloader.php' file, where the…

Wordpress Plugin Vulnerability Exposes 10,000 Sites to Code Execution Attacks
A critical security flaw in the GiveWP Donation Plugin tracked as CVE-2025-0912, has exposed over 100,000 WordPress websites to unauthenticated remote code execution (RCE) attacks.

Fix CVE-2025-0180: WP Foodbakery Security Guide
Learn how to protect your WordPress site from the critical CVE-2025-0180 vulnerability in WP Foodbakery plugin. Step-by-step security guide for admins.
W3 Total Cache plugin flaw exposes 1 million WordPress sites to attacks
A severe flaw in the W3 Total Cache plugin installed on more than one million WordPress sites could give attackers access to various information, including metadata on cloud-based apps.

W3 Total Cache Plugin Vulnerability Let Attackers Gain Unauthorized Access to Sensitive Data
A significant security vulnerability has been identified in the W3 Total Cache plugin for WordPress, affecting all versions up to and including 2.8.1.

WordPress Plugin Security Update Advisory (CVE-2024-11613) - ASEC
Overview We have released a security update to address a vulnerability in the WordPress File Upload plugin. Users of affected products are advised to update to the latest version. Affected Products CVE-2024-11613 WordPress File Upload Version: ~4.24.15 (inclusive) Resolved Vulnerabilities Rem...

Wordpress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks
A critical vulnerability has been identified in the popular UpdraftPlus: WP Backup & Migration Plugin, potentially impacting over 3 million WordPress websites.

CERT-In Sounds Alarm On WPForms Plugin Exploit: Update Now
The vulnerability, present in WPForms plugin versions, stems from a missing authorization check in the wpforms_is_admin_page function.

RCE Vulnerability in 1,000,000 WordPress Sites Lets Attackers Gain Control Over Backend
A critical Remote Code Execution (RCE) vulnerability (CVE-2024-6386), affecting over 1,000,000 active installations of the WordPress Multilingual Plugin (WPML) Twig template engine.

Critical WordPress plugin vulnerability under active exploit threatens thousands
Vulnerability with severity rating of 9.8 out of possible 10 still live on >8,000 sites.

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins
Attackers exploit Hunk Companion vulnerability (CVE-2024-11972) to install flawed plugins, enabling RCE attacks on 10,000+ WordPress sites. Patch imme
Hunk Companion WordPress plugin exploited to install vulnerable plugins
Hackers are exploiting a critical vulnerability in the
WPForms bug allows Stripe refunds on millions of WordPress sites
A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.

CVE-2024-11205 Vulnerability Impacts 6M WordPress Sites
CVE-2024-11205 exposes WPForms to unauthorized Stripe refunds and subscription cancellations.
Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites
Two vulnerabilities in the Anti-Spam by CleanTalk WordPress plugin allowed attackers to execute arbitrary code remotely.

CVE-2024-10924, authentication bypass vulnerability in WordPress
Vulnerability CVE-2024-10924 in the Really Simple Security plugin allows an attacker to log onto a WordPress site with administrator rights.

Vulnerability in WP Time Capsule Plugin (CVE-2024-8856) - OP INNOVATE
Critical vulnerability in WP Time Capsule plugin (CVE-2024-8856) allows unauthenticated file uploads, risking full site takeover; update to version 1.22.22 immediately to mitigate threats.

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites
Critical vulnerability (CVE-2024-10924) in Really Simple Security plugin allows attackers admin access to WordPress sites. Over 4 million affected.
Really Simple Security - CVE-2024-10924
Start It’s been almost a year since my last blog post—time really flies! But today, I stumbled upon something that pulled me back to the keyboard: Wordfence just reported a critical vulnerability in the Really Simple Security (Slugs: really-simple-ssl , really-simple-ssl-pro, really-simple-ssl-pro-...

Critical WPLMS WordPress Theme Bug Puts Websites At Risk Of RCE
A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal

Path Traversal Vulnerability In WPLMS WordPress Theme Exposes Websites To RCE - Cyble
A vulnerability in the WPLMS WordPress theme can put websites at risk of Remote Code Execution.
CVE-2024-9895 Description, Impact and Technical Details
CVE-2024-9895 identifies a vulnerability in the Smart Online Order for Clover plugin for WordPress, affecting all versions up to and including 1.5.7. …

Popular WordPress Caching Plugin Had a Major XSS Vulnerability
The WordPress Caching Plugin had three major XSS vulnerabilities, which have now been fixed by Patchstack. Here's more about it.