Hacking Campaign Actively Exploiting Ultimate Member Plugin

UPDATE (2023-07-03): A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible. You can find Ultimate Member’s incident postmortem here. Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in…More

Arbitrary Plugin Installation Vulnerability In Formidable Forms

During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites. The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead…More

SQL Injection Found And Fixed In Slimstat Analytics and Paid Memberships Pro

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames…More

A Note On CSV Injection Reports

We process a large number of submissions every day, some of which have a high impact on the WordPress ecosystem, and others less so. In order to ensure that our work effectively helps make the web a safer place, we have to prioritize the submissions we receive. As part of that, we’d like to clarify…More