#WordPress
8 stories taggedWordPress.

ShapedPlugin's Update Channel Hijacked, Pro Plugins Shipped with Backdoor
Attackers slipped malicious code into licensed Pro releases by compromising the vendor's own build pipeline — a clean supply-chain hit on WordPress installs.

Gravity SMTP Flaw Under Active Exploitation, Leaks API Keys and OAuth Tokens
CVE-2026-4020 lets unauthenticated attackers pull secrets from roughly 100,000 WordPress installs running the mail plugin.

Operation Endgame Sweep Takes Down SocGholish Loader Infrastructure
Dutch-led coalition disrupts servers and remediates 14,971 compromised WordPress sites, in the latest tranche of the multinational takedown effort.

Trusted Plugin Scripts Weaponized in Admin-Aware WordPress Supply-Chain Hit
Tampered JavaScript served from PushEngage, OptinMonster and TrustPulse fingerprinted logged-in admins before silently provisioning rogue accounts and a stealth plugin.

Everest Forms Pro RCE Under Active Exploitation on WordPress Sites
CVE-2026-3300 carries a 9.8 CVSS. Attackers are using it to take over sites running unpatched versions of the premium form-builder plugin.

Privilege Escalation Attacks Hit Kirki and Burst Statistics WordPress Plugins
Threat actors are actively exploiting flaws in two widely-used WordPress plugins to grab admin access and seize site control.

Unauthenticated Admin-Account Bug in WP Maps Pro Draws Active Exploitation
CVE-2026-8732 lets attackers create administrator accounts without credentials — and exploitation is already underway against live WordPress installations.

Attackers Hammer WP Maps Pro Flaw to Mint Admin Accounts on WordPress Sites
A critical bug in the 15,000-install Envato plugin is being weaponized in the wild to seed rogue administrators.