Attackers Hijack Popular WordPress Plugins to Deploy Backdoors
Tampered OptinMonster and sister plugins plant hidden backdoors on 1.2 million WordPress sites
WordPress is a content management platform whose core, plugins, and themes can contain vulnerabilities that expose websites, accounts, and data.
Search across headline titles and summaries.
Background for this topic.
WordPress is an open-source content management system (CMS) used to publish and manage websites. A site typically combines WordPress core with independently developed plugins and themes, which extend functionality but create a diverse and changing software supply chain. Its security therefore depends not only on the core software, but also on the quality, maintenance, and configuration of those extensions.
Security-relevant issues include exploitable vulnerabilities in core, plugins, or themes; weak or reused administrator credentials; and exposed or poorly configured administrative and API interfaces. Attackers may use these paths to alter content, install malicious code, or access site data. Administrators should track advisories and affected versions, apply updates through a controlled process, remove unsupported extensions, enforce strong authentication and least privilege, and keep protected, tested backups. Monitoring and log review help identify unauthorized changes and support recovery when compromise is suspected.
Weekly headline count for the current query.
Tampered OptinMonster and sister plugins plant hidden backdoors on 1.2 million WordPress sites
Critical Everest Forms Pro RCE flaw exploited to create rogue WordPress admin accounts
Avada Builder flaws allowed file read and SQL injection on one million WordPress sites
Ninja Forms File Upload RCE via unauthenticated arbitrary file upload; update to 3.3.27 immediately
Over 250 legitimate websites, including news outlets and a US Senate candidate’s official webpage, been compromised to infect visitors with infostealers, warn Rapid7 researchers
40,000 WordPress sites are vulnerable to SQL injection in Quiz and Survey Master plugin
Security flaw in RealHomes CRM plugin allowed file uploads; patches released for 30,000+ sites
A critical flaw in the Motors WordPress theme affecting more than 20,000 installations allows low-privileged users to gain full control of websites
Wordfence says threat actors are trying to exploit three critical vulnerabilities from 2024
A flaw in the Slider Revolution plugin has exposed millions of WordPress sites to unauthorized file access
A vulnerability in the WordPress Paid Memberships Subscription plugin could lead to unauthenticated SQL injection on affected sites
10,000 WordPress sites vulnerable to takeover due to critical flaws in HT Contact Form Widget plugin
A severe flaw identified in the Forminator WordPress plugin allows arbitrary file deletion and potential site takeover
A long-running malware campaign targeting WordPress via a rogue plugin has been observed skimming data, stealing credentials and user profiling
Vulnerability in PayU CommercePro plugin allows account hijacking on thousands of WordPress sites
New WordPress malware disguised as a plugin gives attackers persistent access and injects malicious code enabling administrative control
Flaw in SureTriggers plugin allows unauthenticated users to create admin accounts on WordPress sites
An arbitrary file upload vulnerability in the Chaty Pro plugin has been identified, affecting 18,000 WordPress sites
Elementor plugin flaw puts 2m WordPress websites at risk, allowing XSS attacks via malicious scripts
A flaw in the Jupiter X Core plugin has been identified, allowing upload of malicious SVG files and remote code execution on vulnerable servers