WordPress
Coverage of WordPress in the Nexus archive.
- US Army websites defaced with pro-Kurdish sentiments, insults to Trump
US Army websites oil.army.mil and ai2c.army.mil were defaced with pro-Kurdish messages and insults targeting President Donald Trump and Ambassador Tom Barrack. The defacements, achieved via 404 hijacking, affected error pages on subdomains hosted on WordPress and Microsoft cloud infrastructure. The Army took the sites offline, stating they were hosted on a legacy third-party platform unrelated to its enterprise network.
- Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Hackers are exploiting a patched security flaw in the Gravity SMTP WordPress plugin, affecting approximately 100,000 sites. The vulnerability, CVE-2026-4020, is a medium-severity information disclosure flaw allowing unauthenticated attackers to extract sensitive data like API keys and OAuth tokens.
- Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
Hackers are exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is active on 100,000 sites. The vulnerability allows threat actors to access sensitive data without authentication.
- Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
An unknown threat actor is using fake reviews, AI narrators, and VirusTotal comments to promote malicious software through phishing pages, GitHub, and SourceForge projects, according to Check Point Research.
- Critical Everest Forms Pro flaw exploited to take over WordPress sites
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, allowing them to take complete control of WordPress websites.
- Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are exploiting a critical remote code execution vulnerability (CVE-2026-3300) in Everest Forms Pro, a WordPress plugin with 4,000 active installations, leading to site compromises. The vulnerability affects all versions up to 1.9.12.
- Automattic's CMS empire shows cracks as WordPress share falls
WordPress's market share has declined to 41.9% from 43.2% over six months, according to W3Techs data. The drop coincides with ongoing disputes between Automattic and WP Engine, including lawsuits and public conflicts, while competitors like Wix and Shopify show gains.
- Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including administrators. The flaw allows unauthorized access to WordPress admin accounts through the Kirki plugin.
- WordPress malware campaign hides payloads in Steam profiles
Nearly 2,000 WordPress websites were infected with malware that uses Steam Community profile comments to hide command-and-control data. The campaign involves hiding malicious payloads in Steam profiles to communicate with compromised sites.
- WP Maps Pro bug exploited to create admin accounts on WordPress sites
Hackers are exploiting a vulnerability in the WP Maps Pro plugin to create unauthorized administrator accounts on WordPress websites. The exploit allows attackers to bypass authentication and gain administrative access.
- Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
A critical security vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to steal payment data from WooCommerce checkout pages. The vulnerability allows malicious JavaScript code to be injected into these pages. Details of the activity were published by Sansec.
- Funnel Builder WordPress plugin bug exploited to steal credit cards
A critical vulnerability in the Funnel Builder plugin for WordPress is being exploited to inject malicious JavaScript into WooCommerce checkout pages, potentially stealing credit card information. The bug is actively being used by attackers, putting users' sensitive data at risk. The issue highlights the importance of keeping WordPress plugins up-to-date.
- Avada Builder WordPress plugin flaws allow site credential theft
The Avada Builder plugin for WordPress has two vulnerabilities that allow hackers to read arbitrary files and extract sensitive information from the database, affecting an estimated one million active installations. This poses a significant risk to site credential theft. The vulnerabilities enable unauthorized access to sensitive data.
- Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are exploiting a critical authentication bypass vulnerability in the Burst Statistics WordPress plugin to gain admin-level access to websites. The flaw allows attackers to bypass authentication and take control of vulnerable sites. This vulnerability poses a significant risk to website security.
- Breaking Up with WordPress After Two Decades
The author, Yusuf Aytaş, reflects on ending a 20-year relationship with WordPress, citing dissatisfaction with its direction and complexity. They transition to a static site generator for greater control and simplicity, highlighting the platform's evolution and the growing preference for minimalistic tools in web development.
- Popular WordPress redirect plugin hid dormant backdoor for years
The Quick Page/Post Redirect WordPress plugin, used by over 70,000 sites, contained a hidden backdoor added five years ago that enabled attackers to inject arbitrary code into users' websites.
- WordPress running 100% on-chain on the Internet Computer with PHP 8.5 and WASQL - Developers
WordPress is now fully operational on-chain via the Internet Computer, utilizing PHP 8.5 and WASQL. This development highlights advancements in blockchain-based hosting and decentralized web technologies.
- Hackers exploit file upload bug in Breeze Cache WordPress plugin
Hackers are exploiting a critical vulnerability in the Breeze Cache WordPress plugin that allows unauthorized arbitrary file uploads to servers. The flaw, which requires no authentication, is being actively used to compromise WordPress sites.
- Aliens.gov will be running as a WordPress multisite
Aliens.gov is being operated as a WordPress multisite platform. The article, hosted at https://aliens.gov/, has 23 points and 24 comments on Hacker News (https://news.ycombinator.com/item?id=47828149).
- Matt Mullenweg Overrules Core Committers; Puts Akismet on WP 7's Connector List
Matt Mullenweg, co-founder of WordPress, overruled core committers to include Akismet on WordPress 7.0's connectors list. The decision sparked debate among developers about governance and plugin prioritization.
- WordPress plugin suite hacked to push malware to thousands of sites
A WordPress plugin suite called EssentialPlugin was hacked, compromising over 30 plugins and injecting malware into thousands of websites. The malicious code grants unauthorized access to affected sites, posing a significant security risk.
- Someone planted backdoors in dozens of WordPress plugins used in thousands of websites
Dozens of WordPress plugins were compromised to distribute malware after being sold to a new corporate owner. The attack affected thousands of websites using these plugins.
- Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them
A person purchased 30 WordPress plugins and embedded backdoors into all of them, creating a significant security risk for users. The malicious plugins could allow unauthorized access to websites using the affected WordPress platforms.
- Cloudflare made a WordPress for AI agents
Cloudflare has launched EmDash, an open-source system designed to address WordPress's limitations by integrating AI agents. The project, in early access, has sparked debate within the WordPress community, with founder Matt Mullenweg disputing Cloudflare's claims of being a 'spiritual successor' to WordPress.
- Backdoored Smart Slider 3 Pro Update Distributed via Compromised Nextend Servers
Unknown threat actors compromised the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, distributing a backdoored version (3.5.1.35) via hijacked Nextend Servers. Patchstack, a WordPress security company, reported the incident, which affects a plugin with over 800,000 active installations.
- Moving from WordPress to Jekyll (and static site generators in general)
The article discusses a company's transition from WordPress to Jekyll and static site generators, highlighting the use of Claude Code for rebuilding their website. It mentions the technical benefits and process of migrating to a static site generator.
- Smart Slider updates hijacked to push malicious WordPress, Joomla versions
Hackers hijacked the update system for the Smart Slider 3 Pro plugin, distributing malicious versions of WordPress and Joomla with multiple backdoors. The attack compromised the update process, allowing unauthorized access and potential data breaches.
- Hackers exploit critical flaw in Ninja Forms WordPress plugin
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows unauthenticated arbitrary file uploads, enabling remote code execution. The flaw poses a significant security risk to WordPress users.