WordPress
-
Critical Kirki flaw lets attackers take over WordPress admin accounts
Hackers are exploiting a critical flaw in the Kirki WordPress plugin to hijack user accounts, including admins, with more than 222 attack attempts blocked in 24 hours, according to Wordfence.
-
WordPress WP Maps Pro flaw under active attack, 2,858 attempts blocked
A critical WP Maps Pro flaw is being actively exploited to create WordPress administrator accounts, with Wordfence blocking 2,858 attacks in 24 hours. The issue affects versions through 6.1.0 and was fixed in 6.1.1.
-
Avada Builder WordPress flaws could expose site credentials, database data
Two flaws in the Avada Builder WordPress plugin could let attackers read server files or pull data from the database. The issues affect versions through 3.15.2 and 3.15.1, and site owners were urged to upgrade to 3.15.3.
-
Australia warns of ClickFix attacks spreading Vidar Stealer malware
Australia’s cyber security agency warned of a ClickFix campaign using compromised WordPress sites to push Vidar Stealer. The advisory recommends restricting PowerShell, using allow-listing and updating WordPress plugins and themes.
-
WordPress redirect plugin hid dormant backdoor for years
A WordPress redirect plugin installed on more than 70,000 sites hid a dormant backdoor for years, according to a technical analysis by Anchor. The issue involved a hidden update path and a tampered build from an external server.
-
WordPress plugin suite hacked to push malware to thousands of sites
More than 30 WordPress plugins in the EssentialPlugin package were compromised with malicious code, affecting hundreds of thousands of installations. The malware could push spam pages and redirects, and WordPress.org issued a forced update.
-
Smart Slider update hijacked to push malicious WordPress and Joomla versions
Hackers hijacked the Smart Slider 3 Pro update system for WordPress and Joomla, pushing a malicious version that could create hidden admin accounts, install backdoors and steal credentials, according to the vendor and a technical analysis.
-
Hackers exploit critical Ninja Forms WordPress flaw, Wordfence says
Hackers are exploiting a critical flaw in the Ninja Forms File Uploads WordPress add-on that can allow arbitrary file uploads and remote code execution. Wordfence said it blocked more than 3,600 attacks in 24 hours, and the vendor has released a fix.
-
Critical RCE flaw in WPvivid Backup & Migration affects more than 900,000 installs
A critical RCE vulnerability in the WPvivid Backup & Migration plugin impacts versions up to 0.9.123 and more than 900,000 installs. Upgrade to version 0.9.124 to remediate CVE-2026-1357.
-
Critical ACF Extended bug lets attackers gain admin on about 50,000 WordPress sites
A flaw in ACF Extended allows unauthenticated attackers to gain administrator privileges. The bug, CVE-2025-14533, affects versions 0.9.2.1 and earlier. About 50,000 sites may still be exposed. Update to 0.9.2.2.
