Media File Manager plugin for WordPress exploited

Three vulnerabilities in LearnPress prior to version 3.1.0 have been discovered. LearnPress is a popular plugin with more than 50.000 installations for the WordPress CMS that can be used to create and sell courses online. LearnPress is similar to Moodle, an open source learning platform.

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

The Arigato Autoresponder and Newsletter by Kiboko Labs plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog.

A serious vulnerability has been discovered in older versions of the popular Code Snippets plugin for WordPress. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution…

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

The popular WordPress plugin, Social Network Tabs, which has been downloaded over 53.000 times in the past 7 years and is used to help users share content on social media sites, left thousands of linked Twitter accounts exposed to compromise.

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed.

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

The popular GDPR Cookie Consent plugin, which has been downloaded over 700.000 times, was temporarily removed from the WordPress.org plugin repository earlier this week after the developer was notified of a critical bug. Two days later (on February 10) a new version 1.8.3 was released. This new version contains…

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

Researchers at Imperva have found that the overall number of new vulnerabilities in Content Management Systems in 2018 (17,142) has increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). WordPress-related vulnerabilities have exploded and have seen a staggering 300% increase in 2018 compared to…

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and…

Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month. However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.