Exploit WordPress Arigato Autoresponder and Newsletter v2.5.1.8

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

Researchers of the Threat Intelligence team of WordFence have warned on Tuesday that WordPress plugin WP Database Backup contains a critical vulnerability. The developer has since patched this flaw.

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.

The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue. It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These…

WordPress 4.2.3 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Attackers are hijacking vulnerable home routers to launch attacks against WordPress sites. The attacks exploit two flaws in the TR-069 router management protocol to send malicious requests to port 7547. Experts have been advising home users to limit access to port 7547. Internet service providers (ISPs) could take steps…

Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month. However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed.

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

WPBrigade, the developer behind the Simple Social Buttons plugin, have just released a fix to a critical vulnerability. This vulnerability allows an attacker to completely take over a website.

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed.

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.