Skip to content
The Nexus
DossierENTITY

WordPress

Coverage of WordPress in the Nexus archive.

Earliest in view: Apr 7 · 22:03 UTCMost recent: Jul 6 · 17:50 UTC
Co-mentioned in this coverage
Recent coverage
  • SECURITYJul 6 · 17:50 UTCCYBERSCOOP
    US Army websites defaced with pro-Kurdish sentiments, insults to Trump

    US Army websites oil.army.mil and ai2c.army.mil were defaced with pro-Kurdish messages and insults targeting President Donald Trump and Ambassador Tom Barrack. The defacements, achieved via 404 hijacking, affected error pages on subdomains hosted on WordPress and Microsoft cloud infrastructure. The Army took the sites offline, stating they were hosted on a legacy third-party platform unrelated to its enterprise network.

  • SECURITYJun 20 · 09:56 UTCTHE HACKER NEWS
    Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

    Hackers are exploiting a patched security flaw in the Gravity SMTP WordPress plugin, affecting approximately 100,000 sites. The vulnerability, CVE-2026-4020, is a medium-severity information disclosure flaw allowing unauthenticated attackers to extract sensitive data like API keys and OAuth tokens.

  • SECURITYJun 19 · 20:25 UTCBLEEPING COMPUTER
    Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

    Hackers are exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is active on 100,000 sites. The vulnerability allows threat actors to access sensitive data without authentication.

  • SECURITYJun 17 · 18:14 UTCTHE HACKER NEWS
    Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments

    An unknown threat actor is using fake reviews, AI narrators, and VirusTotal comments to promote malicious software through phishing pages, GitHub, and SourceForge projects, according to Check Point Research.

  • SECURITYJun 6 · 14:09 UTCBLEEPING COMPUTER
    Critical Everest Forms Pro flaw exploited to take over WordPress sites

    Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, allowing them to take complete control of WordPress websites.

  • SECURITYJun 5 · 08:38 UTCTHE HACKER NEWS
    Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

    Threat actors are exploiting a critical remote code execution vulnerability (CVE-2026-3300) in Everest Forms Pro, a WordPress plugin with 4,000 active installations, leading to site compromises. The vulnerability affects all versions up to 1.9.12.

  • BUSINESSJun 3 · 10:03 UTCTHE REGISTER
    Automattic's CMS empire shows cracks as WordPress share falls

    WordPress's market share has declined to 41.9% from 43.2% over six months, according to W3Techs data. The drop coincides with ongoing disputes between Automattic and WP Engine, including lawsuits and public conflicts, while competitors like Wix and Shopify show gains.

  • SECURITYJun 2 · 22:12 UTCBLEEPING COMPUTER
    Critical Kirki flaw exploited to hijack WordPress admin accounts

    Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including administrators. The flaw allows unauthorized access to WordPress admin accounts through the Kirki plugin.

  • SECURITYJun 1 · 17:04 UTCBLEEPING COMPUTER
    WordPress malware campaign hides payloads in Steam profiles

    Nearly 2,000 WordPress websites were infected with malware that uses Steam Community profile comments to hide command-and-control data. The campaign involves hiding malicious payloads in Steam profiles to communicate with compromised sites.

  • SECURITYMay 31 · 14:06 UTCBLEEPING COMPUTER
    WP Maps Pro bug exploited to create admin accounts on WordPress sites

    Hackers are exploiting a vulnerability in the WP Maps Pro plugin to create unauthorized administrator accounts on WordPress websites. The exploit allows attackers to bypass authentication and gain administrative access.

  • SECURITYMay 16 · 15:20 UTCTHE HACKER NEWS
    Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming

    A critical security vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to steal payment data from WooCommerce checkout pages. The vulnerability allows malicious JavaScript code to be injected into these pages. Details of the activity were published by Sansec.

  • SECURITYMay 15 · 19:30 UTCBLEEPING COMPUTER
    Funnel Builder WordPress plugin bug exploited to steal credit cards

    A critical vulnerability in the Funnel Builder plugin for WordPress is being exploited to inject malicious JavaScript into WooCommerce checkout pages, potentially stealing credit card information. The bug is actively being used by attackers, putting users' sensitive data at risk. The issue highlights the importance of keeping WordPress plugins up-to-date.

  • SECURITYMay 15 · 15:56 UTCBLEEPING COMPUTER
    Avada Builder WordPress plugin flaws allow site credential theft

    The Avada Builder plugin for WordPress has two vulnerabilities that allow hackers to read arbitrary files and extract sensitive information from the database, affecting an estimated one million active installations. This poses a significant risk to site credential theft. The vulnerabilities enable unauthorized access to sensitive data.

  • SECURITYMay 14 · 21:07 UTCBLEEPING COMPUTER
    Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin

    Hackers are exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin to gain admin-level access to websites. The flaw allows attackers to bypass authentication and take control of vulnerable sites. This vulnerability poses a significant risk to website security.

  • TECHNOLOGYMay 3 · 14:34 UTCHACKER NEWS
    Breaking Up with WordPress After Two Decades

    The author, Yusuf Aytaş, reflects on ending a 20-year relationship with WordPress, citing dissatisfaction with its direction and complexity. They transition to a static site generator for greater control and simplicity, highlighting the platform's evolution and the growing preference for minimalistic tools in web development.

  • SECURITYApr 29 · 22:13 UTCBLEEPING COMPUTER
    Popular WordPress redirect plugin hid dormant backdoor for years

    The Quick Page/Post Redirect WordPress plugin, used by over 70,000 sites, contained a hidden backdoor added five years ago that enabled attackers to inject arbitrary code into users' websites.

  • TECHNOLOGYApr 26 · 23:52 UTCR/CRYPTOCURRENCY
    WordPress running 100% on-chain on the Internet Computer with PHP 8.5 and WASQL - Developers

    WordPress is now fully operational on-chain via the Internet Computer, utilizing PHP 8.5 and WASQL. This development highlights advancements in blockchain-based hosting and decentralized web technologies.

  • SECURITYApr 23 · 21:33 UTCBLEEPING COMPUTER
    Hackers exploit file upload bug in Breeze Cache WordPress plugin

    Hackers are exploiting a critical vulnerability in the Breeze Cache WordPress plugin that allows unauthorized arbitrary file uploads to servers. The flaw, which requires no authentication, is being actively used to compromise WordPress sites.

  • TECHNOLOGYApr 19 · 22:19 UTCHACKER NEWS
    Aliens.gov will be running as a WordPress multisite

    Aliens.gov is being operated as a WordPress multisite platform. The article, hosted at https://aliens.gov/, has 23 points and 24 comments on Hacker News (https://news.ycombinator.com/item?id=47828149).

  • TECHNOLOGYApr 19 · 14:24 UTCHACKER NEWS
    Matt Mullenweg Overrules Core Committers; Puts Akismet on WP 7's Connector List

    Matt Mullenweg, co-founder of WordPress, overruled core committers to include Akismet on WordPress 7.0's connectors list. The decision sparked debate among developers about governance and plugin prioritization.

  • SECURITYApr 15 · 20:33 UTCBLEEPING COMPUTER
    WordPress plugin suite hacked to push malware to thousands of sites

    A WordPress plugin suite called EssentialPlugin was hacked, compromising over 30 plugins and injecting malware into thousands of websites. The malicious code grants unauthorized access to affected sites, posing a significant security risk.

  • SECURITYApr 14 · 18:31 UTCTECHCRUNCH
    Someone planted backdoors in dozens of WordPress plugins used in thousands of websites

    Dozens of WordPress plugins were compromised to distribute malware after being sold to a new corporate owner. The attack affected thousands of websites using these plugins.

  • SECURITYApr 13 · 17:54 UTCHACKER NEWS
    Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

    A person purchased 30 WordPress plugins and embedded backdoors into all of them, creating a significant security risk for users. The malicious plugins could allow unauthorized access to websites using the affected WordPress platforms.

  • TECHNOLOGYApr 10 · 13:30 UTCTHE VERGE
    Cloudflare made a WordPress for AI agents

    Cloudflare has launched EmDash, an open-source system designed to address WordPress's limitations by integrating AI agents. The project, in early access, has sparked debate within the WordPress community, with founder Matt Mullenweg disputing Cloudflare's claims of being a 'spiritual successor' to WordPress.

  • SECURITYApr 10 · 06:28 UTCTHE HACKER NEWS
    Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers

    Unknown threat actors compromised the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, distributing a backdoored version (3.5.1.35) via hijacked Nextend Servers. Patchstack, a WordPress security company, reported the incident, which affects a plugin with over 800,000 active installations.

  • TECHNOLOGYApr 9 · 20:59 UTCHACKER NEWS
    Moving from WordPress to Jekyll (and static site generators in general)

    The article discusses a company's transition from WordPress to Jekyll and static site generators, highlighting the use of Claude Code for rebuilding their website. It mentions the technical benefits and process of migrating to a static site generator.

  • SECURITYApr 9 · 16:15 UTCBLEEPING COMPUTER
    Smart Slider updates hijacked to push malicious WordPress, Joomla versions

    Hackers hijacked the update system for the Smart Slider 3 Pro plugin, distributing malicious versions of WordPress and Joomla with multiple backdoors. The attack compromised the update process, allowing unauthorized access and potential data breaches.

  • SECURITYApr 7 · 22:03 UTCBLEEPING COMPUTER
    Hackers exploit critical flaw in Ninja Forms WordPress plugin

    A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows unauthenticated arbitrary file uploads, enabling remote code execution. The flaw poses a significant security risk to WordPress users.

WordPress · Dossier · The Nexus