Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label WordPress. Show all posts
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
WordPress
Big Fix Technology TI WooCommerce Website WordPress

Critical Bug in E-commerce Website, Over 10000 Customers Impacted


WordPress plugin exploit

Cybersecurity experts have found a critical unpatched security vulnerability impacting the TI WooCommerce Wishlist plugin for WordPress that unauthorized threat actors could abuse to upload arbitrary files.

TI WooCommerce Wishlist has more than 100,000 active installations. It allows e-commerce website users to save their favorite products for later and share the lists on social media platforms. According to Patchstack researcher John Castro, “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication.”

About the vulnerability 

Labeled as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 (critical), it impacts all variants of the plugin below 2.92 released on November 29, 2024. Currently, there is no patch available. 

According to the security company, the issue lies in a function called "tinvwl_upload_file_wc_fields_factory," which uses another native WordPress function "wp_handle_upload" to validate but sets the override parameters “test_form” and “test_type” to “false.” 

The "test_type" override checks whether the Multipurpose Internal Mail Extension (MIME) file type is as expected, while the “test_form” verifies whether the $_POST['action'] parameter is correct. 

When setting "test_type," it permits the file type validation to escape effectively, permitting any file type to be uploaded. 

Reading the calendar

The TIWooCommerce Wishlist plugin is an extension for WooCommerce stores that lets users create and manage wishlists, sharing and saving their wishlist products. 

Apart from social sharing options, the plugin has AJAX-based functionality and multiple-wishlist support in the premium variant, email alerts, etc. 

Impact of attack

The scale of the potential attack surface is massive. A major concern is that these are ecommerce sites, where customers spend money, this can compound the risk. 

Currently, the latest variant of the plugin is 2.9.2, last updated 6 months ago. As the patch has not yet been released, concerned users are advised to deactivate and remove the plugin until a fix is issued.

The good thing here is that effective compromise is only possible on sites that also contain the WC Fields Factory plugin deployed and active, and the integration is active on the TI WooCommerce Wishlist plugin. This can make things difficult for threat actors. 

Read more »
WordPress
Cyber Security Patchstack Plugin Software Updates WordPress

Hackers Target WordPress Plugin Just Hours After Security Weakness Revealed

 



A newly found security issue in a widely used WordPress tool called OttoKit (previously called SureTriggers) has opened the door for cybercriminals to take over websites. Within just a few hours of the problem being shared publicly, hackers began trying to take advantage of it.

OttoKit is a plugin that helps website owners link their WordPress sites with other services such as Google Sheets, Mailchimp, or online stores like WooCommerce. This tool makes it easy to create automated actions—like sending emails or updating customer lists—without needing to write any code. Over one lakh websites currently rely on this plugin.

The major issue, which affects all versions up to 1.0.78, allows outsiders to get into a website without logging in. This means attackers can skip the usual login checks and gain access to important parts of the site.

The root of the problem comes from how the plugin handles security keys. If the plugin was set up without an API key, the internal “secret code” remains blank. Hackers can then send a fake request without any real login details, and the system mistakenly lets them in.

This bug lets bad actors create new admin-level users, giving them the ability to fully control the site— change settings, install software, or even lock the real owner out.

A cybersecurity researcher who goes by the name 'mikemyers' discovered this error and reported it responsibly. On April 3, the plugin creators fixed the issue and released an updated version, 1.0.79, which closes the security hole.

Unfortunately, attackers were fast to act. Experts from Patchstack, a company that tracks WordPress security, said they noticed the first hacking attempts just four hours after the bug was made public. Hackers used automated tools to create random admin accounts, hoping to break into websites that hadn’t yet been updated.

This case highlights how important it is to quickly install software updates, especially when they fix security flaws.

If your site uses OttoKit or SureTriggers, it is strongly advised to upgrade to version 1.0.79 immediately. Also, check your user accounts for anything unusual—like new admins you didn’t create as well as any strange activity involving plugins, themes, or database access.

Read more »
WordPress
CMS Internet Malicious Codes malware WordPress

Hackers Exploit WordPress Logins, Secretly Run Codes

Hackers Exploit WordPress Logins, Secretly Run Codes

Threat actors are exploiting the Wordpress mu-plugins ("Must-Use Plugins") directory to secretly execute malicious code on each page while avoiding detection. 

The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.

Talking about the increase in mu-plugins infections, Sucuri's security analyst Puja Srivastava said, “attackers are actively targeting this directory as a persistent foothold.”

About "Must-have" malware

Must-Use Plugins are a kind of WordPress plugin that automatically runs on every page load without the need to be activated in the admin dashboard.  Mu-plugins are files stored in the 'wp-content/mu-plugins/' and are not listed in the regular “Plugins” admin page, except when the “Must-Use” filter is checked. 

They have genuine use cases like implementing site-wide functionality for custom security rules, dynamically changing variables/codes, and performance tweaks. But as these plugins run every page load and aren’t shown in the standard plugin list, hackers can exploit them to secretly run a variety of malicious activities like injecting malicious code, changing HTML output, or stealing credentials. 

Sucuri found three payloads that hackers are deploying in the mu-plugins directory, suspected to be a part of a larger money aimed campaign.

According to Sucuri, these include:

Fake Update Redirect Malware: Detected in the file wp-content/mu-plugins/redirect.php, this malware redirected site visitors to an external malicious website.

Webshell: Found in ./wp-content/mu-plugins/index.php, it allows attackers to execute arbitrary code, granting them near-complete control over the site.

A spam injector: a spam injection script located in wp-content/mu-plugins/custom-js-loader.php. This script was being used to inject unwanted spam content onto the infected website, possibly to boost SEO rankings for malicious actors or promote scams.

How do you spot it?

A few obvious signs can help to spot this malware. One unusual behavior on the site is unauthorized user redirections to external malicious websites. Secondly, malicious files with weird names appear inside the mu-plugins directory, spoofing real plugins. Third, site admins may observe “elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories,” according to Sucuri.

Read more »
WordPress
Hacking Internet Plugins Technology Website WordPress

Hackers Exploit WordPress Sites to Attack Mac and Windows Users


According to security experts, threat actors are abusing out-of-date versions of WordPress and plug-ins to modify thousands of sites to trap visitors into downloading and installing malware.

In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.

Spray and pray campaign

The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.

After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe. 

Users tricked via fake sites

When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains. 

According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added. 

C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.

Read more »
WordPress
CMS Cyber incidents Cyber Security Cyberattacks CyberCrime CyberThreat database Magento WordPress

Sophisticated Credit Card Skimmer Malware Targets WordPress Checkout Pages

 


Recent cybersecurity reports have highlighted a new, highly sophisticated credit card skimmer malware targeting WordPress checkout pages. This stealthy malware embeds malicious JavaScript into database records, leveraging database injection techniques to effectively steal sensitive payment information. Its advanced design poses significant risks to e-commerce platforms and their users. 
  
Widespread Impact on E-Commerce Platforms 
 
Multiple content management systems (CMS), including WordPress, Magento, and OpenCart, have been targeted by the Caesar Cipher Skimmer. This web skimmer enables the theft of payment data, threatening the financial security of businesses and consumers alike. 

Web skimmers are malicious scripts injected into e-commerce websites to collect financial and payment transaction details. According to cybersecurity firm Sucuri, a recent attack involved modifying the "form-checkout.php" file in the WooCommerce plugin to steal credit card information.
  • Consequences: Financial losses, reputational damage, and legal expenses.
  • Detection Difficulty: Often remains unnoticed until after the damage has occurred.

Signs of a compromised WooCommerce site include customer reports of stolen credit card details. This typically suggests malware capable of skimming customer credentials, warranting immediate investigation and remediation. 

On May 11, 2024, Sucuri identified a campaign misusing the "Dessky Snippets" WordPress plugin, which allows users to add custom PHP code. With over 200 active installations, the plugin was exploited by threat actors to inject malicious PHP code for credit card theft.
  • Attack Vectors: Exploiting plugin vulnerabilities and weak admin credentials.
  • Further Exploitation: Installing additional plugins to escalate malicious activities.
Database-Level Malware Infiltration 

Using the Dessky Snippets plugin, attackers deployed server-side PHP malware that embedded obfuscated JavaScript in the WordPress database.
  • Location: Stored in the wp_options table under widget_block.
  • Activation Trigger: Executes on pages containing "checkout" in the URL, avoiding pages with "cart."
Stealth and Strategic Execution The malware activates only during the final transaction stage, intercepting sensitive financial data without disrupting the user experience.
  • Integration: Utilizes existing payment fields to avoid detection.
  • Stealth Tactics: Remains hidden from standard file-scanning tools.

To conceal its activities, the malware encrypts stolen data using Base64 encoding and AES-CBC encryption. The encrypted data is discreetly sent to attacker-controlled servers via the navigator.sendBeacon function, ensuring stealthy exfiltration without alerting users or administrators. Severe Security Implications This malware poses a critical threat by covertly harvesting sensitive payment information, including credit card numbers and CVV codes.
  • Potential Risks: Fraudulent transactions, identity theft, and illegal data sales.
  • Impact on Businesses: Financial losses, legal liabilities, reputational damage, and erosion of customer trust.
Mitigation and Security Best Practices 
 
To counter such threats, e-commerce platforms must implement robust cybersecurity measures:
  • Regular monitoring of website activity for unusual behavior.
  • Timely updates of all plugins and platform software.
  • Proactive vulnerability management and penetration testing.
  • Strong admin credentials and limited plugin installations.
Staying vigilant and proactive in cybersecurity practices is essential to safeguarding sensitive customer data and maintaining the integrity of e-commerce operations.
Read more »
WordPress
fake websites Financial Fraud phishing PhishWP WordPress

Hackers Use PhishWP to Steal Payment Info on WordPress Sites

 



Cybersecurity researchers have uncovered a malicious WordPress plugin called PhishWP that transforms legitimate websites into tools for phishing scams. This plugin allows attackers to set up fake payment pages mimicking trusted services like Stripe, tricking users into divulging sensitive details, including credit card numbers, expiration dates, billing information, and even one-time passwords (OTPs) used for secure transactions. 


How PhishWP Works

PhishWP works by setting up fake WordPress sites or hacking into legitimate ones. It then generates phishing checkout pages that closely mimic real payment interfaces. Victims receive this interface with false site addresses, where they enter sensitive financial information, including security codes and OTPs.

The stolen data is sent to attackers in real time because the plugin integrates with Telegram. Therefore, attackers can use or sell the information almost immediately. The browser details captured by PhishWP include IP addresses and screen resolutions, which attackers can use for future fraudulent activities.


Key Features 

What has made the phishing plugin more advanced is that it ensures operations are seamless and almost undetectable. 

Realistic Payment Interfaces: The plugin mimics the appearance of trusted services like Stripe.  

3D Secure Code Theft: It fetches the OTP sent to everyone in the verification processes to successfully process fraudulent transactions.

Real-time Data Transfer: Telegram is used to send stolen information to attackers in real time.  

Customizable and Worldwide: Multi-language support and obfuscation features enable phishing attacks across the globe.  

Fake Confirmations: Victims receive fake emails that confirm purchases, which delays the suspicion.  


Step-by-Step Analysis  

1. Setup: Attackers either hack a legitimate WordPress site or create a fake one.

2. Deceptive Checkout: PhishWP personalizes payment pages to resemble actual processors. 

3. Data Theft: Victims unknowingly provide sensitive information, including OTPs. 

4. Exploitation: The stolen data is immediately sent to attackers, who use it for unauthorized transactions or sell it on dark web markets.


How to Protect Yourself

To avoid falling victim to threats like PhishWP:  

1. Verify website authenticity before entering payment details.  

2.  Look for secure connections (HTTPS) and valid security certificates.  

3. Use advanced tools like SlashNext’s Browser Phishing Protection, which blocks malicious URLs and identifies phishing attempts in real time.

Protecting your personal and financial data begins with understanding how cyberattacks work, don’t let hackers take the upper hand.



Read more »
WordPress
ClearFake infostealers Plugins Vulnerabilities and Exploits WordPress

Infostealer-Injecting Plugins infect Thousands of WordPress Sites

 

Hackers are using WordPress sites to install malicious plugins that propagate malware that steals information by displaying fake updates and errors.

Infostealing malware has become a global nuisance for security defenders in recent years, as compromised credentials are used to infiltrate networks and steal data. 

Since 2023, a malicious campaign known as ClearFake has been used to display bogus web browser update banners on compromised sites that spread data-stealing malware. 

A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses as software error warnings with fixes included. These "fixes" are actually PowerShell scripts that, when executed, will download and install malware that steals data. 

This year has seen a rise in ClickFix attacks, in which threat actors hack websites to show banners displaying fake issues for Facebook, Google Meet conferences, Google Chrome, and even captcha pages. 

Malicious WordPress plugins

Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors had infiltrated over 6,000 WordPress sites, installing malicious plugins that displayed the fake alerts associated with these operations. 

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," notes GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.” 

Sucuri, a website security firm, has also identified a fraudulent plugin called "Universal Popup Plugin" as part of this operation. When installed, the malicious plugin will hook into various WordPress activities, depending on the type, and inject a malicious JavaScript script into the site's HTML.

Sinegubko's analysis of web server access logs indicates that the threat actors are using stolen admin credentials to enter into the WordPress site and install the plugin in an automated manner. Threat actors log in with a single POST HTTP request rather than first accessing the site's login page. This shows that the process is automated after the credentials have been received. 

Although it's unknown how the threat actors are getting the credentials, the researcher points out that it might be through information-stealing malware, phishing, and brute force attempts in the past.
Read more »
Subscribe to: Comments (Atom)