The vulnerability, tracked as CVE-2026-1492, affects plugin versions up to 5.1.2. Since the issue can be exploited without logging in or interacting with the site, it has been given a critical CVSS score of 9.8.

This means attackers could potentially gain full control of affected WordPress websites.

WordPress Plugin Unauthenticated Admin Access Vulnerability Explained

The problem comes from how the plugin handles user roles during the registration process.

Security researcher Friderika Baranyai (Foxyyy) from Wordfence Intelligence discovered that the plugin does not properly limit which role a new user can request when registering through a membership form.

Normally, websites should restrict roles like administrator so that regular users cannot assign them to themselves. However, the vulnerable plugin accepts the role value sent by the user without proper validation.

Because of this flaw, attackers can modify the registration request and insert administrator as their role. The site then processes the request and creates a new admin account.

Potential Impact on Websites

Once attackers obtain administrator access, they can take full control of the WordPress site.

This level of access allows them to:

• Install malicious plugins or backdoors
• Steal sensitive data from the database
• Redirect visitors to malicious websites
• Modify website content or inject malware

Security researchers have already observed active exploitation attempts. Wordfence reported blocking 74 attacks targeting this vulnerability within just 24 hours, showing that attackers are quickly scanning for vulnerable sites.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

How to Protect Your WordPress Site

Website owners should take immediate steps to secure their installations.

The vulnerability has been patched in version 5.1.3 of the User Registration & Membership plugin.

To reduce the risk of compromise, administrators should:

• Update the plugin to version 5.1.3 or the latest release
• Review all administrator accounts for suspicious users
• Remove any unknown or unauthorized accounts
• Reset passwords and security credentials if compromise is suspected

Previous Security Issues

This plugin has recently faced multiple security concerns. Earlier research also revealed:

• CVE-2026-1779 – an authentication bypass vulnerability
• An authorization issue that allowed attackers to delete posts without permission

Because WordPress plugins are frequently targeted, keeping software updated and using security tools like a web application firewall (WAF) can help prevent exploitation.

The post WordPress Plugin Unauthenticated Admin Access Vulnerability Discovered appeared first on First Hackers News.

Vulnerability Overview

Tracked as CVE-2025-14533, the issue affects plugin versions up to 0.9.2.1 and carries a CVSS score of 9.8 (Critical). The vulnerability arises from improper handling of user roles during account creation, allowing privilege escalation at the point of registration.

How the Attack Works

The plugin enables site owners to create custom user registration and profile forms using field groups. These forms may collect standard details such as usernames, email addresses, passwords, and user roles. While the interface appears to limit which roles can be selected, the backend logic fails to enforce these restrictions.

An unauthenticated attacker can submit a crafted request to a public registration form and manually assign the administrator role. Because the plugin does not validate this value before passing it to WordPress, the platform creates a new account with full admin privileges.

Once administrative access is obtained, an attacker has complete control over the affected website.

This includes the ability to install malicious plugins or themes, inject persistent backdoors, alter site content, redirect visitors to malicious destinations, and create additional administrator accounts to maintain long-term access.

Remediation and Risk

The vulnerability was discovered by researchers from Wordfence, and the plugin developer has addressed the issue in version 0.9.2.2. Despite this, any site that has not applied the update and continues to expose vulnerable forms remains at high risk of exploitation.

Site owners are strongly advised to update immediately and review their user registration workflows to ensure no role assignment fields are exposed publicly.

The post Critical WordPress Plugin Bug Puts 100K+ Sites at Risk appeared first on First Hackers News.

With over 1 million active installations, this flaw puts a large number of websites at risk.

Researchers at RCE Security found that the issue comes from how W3 Total Cache processes dynamic content. The problem lies in the _parse_dynamic_mfunc function inside the PgCache_ContentGrabber class.

This code uses PHP’s eval() function to execute content pulled from cached pages — which opens the door to direct code injection.

RCE Security analyzed WPScan’s advisory and created a working exploit to confirm how serious the vulnerability is.

However, the attack only works under certain conditions. An attacker must know the value of the W3TC_DYNAMIC_SECURITY constant in the site’s wp-config.php file.
Additionally:

• Page caching must be enabled (it’s core functionality but off by default)
• The website must allow comments from unauthenticated users

If these conditions are met, an attacker can inject malicious PHP code using crafted HTML comments in cached pages — leading to full remote code execution (RCE) on the site.

CVE ID: CVE-2025-9501
Vulnerability Type: Unauthenticated Command Injection / Remote Code Execution
Affected Plugin: W3 Total Cache
Affected Versions: Versions containing the vulnerable code in the PgCache_ContentGrabber class
Attack Vector: Malicious mfunc comments inside cached page content
Impact: Full Remote Code Execution & Potential Server Takeover
Status: PoC Exploit Publicly Released

When W3 Total Cache processes a cached page, it calls the vulnerable _parse_dynamic_mfunc function. This function scans the cached content for special mfunc comment tags.

If an attacker knows the value of the W3TC_DYNAMIC_SECURITY key, they can place malicious PHP code inside these tags. The plugin then executes this code directly on the server, giving the attacker remote command execution.

For example, an attacker could run:

echo passthru($_GET[1337])

Once the required conditions are met, exploitation is straightforward.
The level of risk depends heavily on how administrators configure W3 Total Cache.

Sites that use the W3TC_DYNAMIC_SECURITY feature with default or weak values are especially vulnerable.

Website administrators using W3 Total Cache should update to the latest patched version as soon as possible. If an update isn’t available, temporarily disable the Page Cache feature or restrict comments to logged-in users.

‍Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!

The post W3 Total Cache PoC Published, Putting Millions of WordPress Sites at Risk appeared first on First Hackers News.

The main goal of this campaign is to spread online casino spam, which is currently the most common type of spam found on hacked websites.

Attackers take advantage of weaknesses in WordPress websites to upload spam content that promotes online casinos, especially in countries where gambling is restricted.

To stay hidden, they use several techniques:

• They create duplicate folders that look identical to real website pages.
• They replace the original page with one filled with spam links.
• Users and search engines are redirected to these fake pages without knowing.

This method works because it abuses how web servers like Apache and Nginx handle page requests before WordPress loads them.

Researchers at Sucuri also found a more advanced version of this malware.
Instead of putting malicious files only in themes or plugins, the attackers hide the code in multiple places — including inside the WordPress database with misleading names — making it much harder to detect and remove.

Hidden Malware

The malware works in layers: it alters the database and loads content dynamically to stay hidden. Researchers found the malicious script added to the bottom of the theme’s functions.php file.

The malware pulls a base64-encoded payload from the WordPress option named wp_footers_logic and runs it with PHP’s eval() function. If eval() is disabled, it saves the decoded payload to wp-content/cache/style.dat instead. The payload watches incoming requests for certain URL paths and serves cached spam when those paths are matched.

When activated, the payload loads spam content from attacker-controlled sites (for example, browsec[.]xyz). To survive cleanup, the attackers also insert reinfection code into other plugin files. That reinfection code looks for specific markers; if it doesn’t find them, it will re-insert the malicious payload into the theme’s functions.php file and the main file of the first active plugin — ensuring the SEO spam keeps returning.

Mitigation

To protect your website from SEO spam injections:

• Keep WordPress, themes, and plugins updated — outdated components are the main entry point.
• Remove unused plugins and themes — fewer components means fewer vulnerabilities.
• Enable file integrity monitoring — detect unauthorized changes to core files like functions.php.
• Restrict write permissions on /wp-content/, /wp-includes/, and plugins/themes.
• Use a Web Application Firewall (WAF) to block malicious requests and known exploit patterns.
• Scan for unexpected database entries (especially unusual wp_options keys).
• Change all admin credentials, and enforce MFA for logins.

If you suspect a compromise:

• Restore clean versions of core files.
• Audit functions.php, plugin files, and the database for hidden code or base64 content.
• Clear all cache directories — many SEO spam payloads hide there.

The post Websites Compromised to Boost Hacker SEO appeared first on First Hackers News.

Rising Activity Detected in September 2025

More than 30,000 malware samples of this type were detected and blocked by Wordfence during September 2025.
All known variants are now covered by both premium and free malware signatures provided by Wordfence.

Variable Functions Exploited

PHP’s variable function capability, which allows function names to be stored in variables and executed dynamically, has been heavily abused by attackers.
This technique, originally meant for flexible coding, is being used to execute arbitrary commands on compromised sites.

For example, malicious code may assign “eval” and “base64_decode” to variables, chaining them together to download and execute remote payloads.
When these function names are dynamically built or encoded, detection becomes significantly harder.
Simple patterns like eval(base64_decode()) are easily caught, but reordered or encoded calls can bypass traditional signature scans.

Cookie-Based Payloads

The malware also replaces typical user-input triggers with browser cookies.
In several cases, execution occurs only when a specific number of cookies—often 11 or 22—are present, along with a unique marker such as “array11.”

Cookie values are concatenated to rebuild PHP function names like “base64_decode” or “create_function.”
The payload is then decoded and executed on the server.
Some variants even check mathematical conditions, such as one cookie being divisible by 283, before activating.

Because all commands are controlled through cookies, attackers can trigger code execution without leaving visible traces in logs or form submissions.

Key Detection Traits

According to Wordfence, these scripts can be identified by several behavioral clues:

• Unusually dense and unformatted PHP code
• Use of variable functions
• Conditional checks based on cookies or superglobals

By focusing on these traits rather than static signatures, Wordfence’s malware engine can detect even heavily obfuscated variants.

Ongoing Protection Efforts

Wordfence continues to invite researchers and users to submit undetected samples to expand their coverage.
Their layered defense system—including Wordfence Premium, Care, Response, and CLI tools—currently detects over 99% of known malicious variants using these obfuscation tactics.

The company emphasizes that vigilance and updated security plugins remain essential to keeping WordPress sites protected against evolving PHP malware threats.

The post PHP Variable Function Malware Targets WordPress Sites, Wordfence Reports appeared first on First Hackers News.

At the core of this attack is a malicious file named wp-index.php, which abuses WordPress’s must-use plugin functionality to ensure continuous operation that cannot be disabled via the standard admin dashboard.

The malware uses advanced obfuscation techniques, including ROT13 encoding, to conceal its communications with a remote command-and-control server.

Once executed, the malware fetches payloads from a hidden URL and stores them directly in the WordPress database under the option key _hdra_core. This tactic allows it to evade security solutions that focus mainly on filesystem changes.

Security researchers at Sucuri discovered this stealthy backdoor during routine investigations, highlighting its unusually effective persistence mechanisms across various infection vectors.

Notably, the malware creates a covert administrative user account named “officialwp” and uses WordPress filter functions to hide this account from the dashboard, masking its presence from site administrators.

The infection process is highly sophisticated, with the main loader script downloading base64-encoded payloads from hxxps://1870y4rr4y3d1k757673q[.]xyz/cron.php. When decoded, these payloads reveal a complete and robust malware framework.

The malware framework also incorporates a stealthy file manager, deceptively named “pricing-table-3.php”, which is placed within the active theme directory. This backdoor tool is shielded by a custom authentication token — “fsociety_OwnzU_4Evr_1337H4x!” — that must be sent via HTTP headers to gain access, adding an additional layer of concealment and control for the attackers.

Database-Centric Persistence Strategy

The most alarming aspect of this malware is its database-centric persistence strategy. Instead of depending on traditional file-based infections—often detectable through file integrity monitoring—the backdoor embeds its payload within WordPress’s options table. It then executes this stored code and swiftly removes any temporary files created during the process, effectively minimizing forensic traces and making detection significantly more difficult.

This technique enables the malware to withstand typical cleanup procedures, ensuring its continued presence even after superficial disinfection attempts. By storing and executing its payload from the database, the attackers retain remote code execution capabilities and full administrative control over the compromised WordPress site, making the infection both resilient and deeply embedded.

The post Stealthy Backdoor Discovered in WordPress Plugins Grants Hackers Long-Term Website Access appeared first on First Hackers News.

Security researchers have identified advanced malware campaigns where threat actors disguise harmful plugins to closely mimic legitimate components within a site. This strategy significantly hampers detection efforts, allowing the malware to persist unnoticed by administrators.

One particularly deceptive technique involves naming the malicious plugin after the domain it infects. For instance, if the compromised site is example.com, the plugin directory and file might appear as example-com/example-com.php — making it seem like a native part of the website’s codebase.

wp-content/plugins/exampledomain-com/exampledomain-com.php

This naming convention allows the malicious plugin to masquerade as a custom or site-specific tool, making it difficult to detect. By mimicking the site’s own name, the malware blends in naturally with other files, evading both manual inspections and automated security scans with ease.

How the Attack Works

Once installed, these malicious plugins often lie dormant, activating only under specific conditions—most notably when a search engine crawler accesses the website.

At that moment, the plugin dynamically injects spam content, such as pharmaceutical advertisements, into the site’s pages. While regular visitors see the site as normal, search engines index the injected content, unknowingly promoting the attacker’s SEO schemes. This not only boosts the attacker’s search rankings but also severely damages the credibility and search visibility of the compromised website.

The malicious code is heavily obfuscated, using thousands of variables and complex concatenation to hide its true purpose.

Cybercriminals are leveraging deceptive tactics to compromise WordPress websites through malicious plugins. These plugins often contain obfuscated code—scattered letters, numbers, and symbols that are later assembled and executed—making them extremely difficult for security tools and even experienced developers to detect.

• Plugin Placement: The malware typically hides in the WordPress plugins directory. It often uses folder and file names that imitate the site’s domain, making it seem harmless.
  
• Code Obfuscation: Attackers insert fake plugin headers and thousands of variable assignments, creating the illusion of legitimacy.
  
• Selective Activation: The plugin activates only when search engine crawlers visit the site. This stealth tactic bypasses the attention of regular users and many automated scans.
  
• Remote Instructions: The plugin may pull instructions or SEO spam content from external servers, often using encoded formats to avoid detection.
  
• Elevated Access: Some variants allow attackers to gain administrator privileges. This enables them to create rogue admin accounts, install more malware, or completely hijack the site.

Such infections can lead to data theft, defacement, and persistent backdoors that are notoriously difficult to eliminate.

How to Protect Your WordPress Site

To guard against these evolving threats:

• Keep WordPress core, themes, and plugins updated at all times.
• Run regular malware and backdoor scans using trusted security plugins.
• Use strong, unique passwords for all user accounts, including admin, database, and FTP.
• Monitor server logs and implement file integrity checks for early detection.
• Deploy a web application firewall (WAF) to stop malicious bots and brute-force attempts.
• If a breach is suspected, consult cybersecurity experts immediately to clean and secure your site.

Stay proactive – as attackers continue to refine their methods, strong defenses and constant vigilance are essential for maintaining the integrity of your WordPress website.

The post WordPress Under Threat: Malicious SEO Plugins Enable Full Site Control appeared first on First Hackers News.

TI WooCommerce Wishlist Flaw

The flaw affects version 2.9.2 and all earlier versions, allowing unauthenticated file uploads—meaning attackers can upload malicious files without logging in. This vulnerability is tracked as CVE-2025-47577.

The plugin normally works with tools like WC Fields Factory to let store owners add wishlist features and custom forms. But due to a coding error, attackers can upload harmful files like PHP scripts, which could let them take full control of a website.

The problem lies in the tinvwl_upload_file_wc_fields_factory function in the plugin’s code. It disables WordPress’s normal file type checks by setting 'test_type' => false, allowing any file type to be uploaded.

These files can then be run directly on the server, leading to remote code execution (RCE).

A serious vulnerability in the TI WooCommerce Wishlist plugin can be exploited through helper functions like tinvwl_meta_wc_fields_factory or tinvwl_cart_meta_wc_fields_factory. This only works when the WC Fields Factory plugin is also active—slightly narrowing the risk but still leaving many sites exposed.

This is a high-severity issue, as attackers don’t need to log in to exploit it. They can upload malicious code to your server, leading to data theft, full system compromise, or service disruption.

As of now, there is no patch available. The only safe action is to disable and delete the plugin to prevent attacks.

Users subscribed to Patchstack’s paid service (starting at $5 per site/month) are already protected against this flaw. A free Community account is required to access this protection.

Security experts also recommend that plugin developers and hosting providers explore Patchstack’s audit services and API to strengthen security across multiple sites.

The community is still waiting for an official fix from the TI Wishlist team. Until then, removal of the plugin is the safest course of action.

This incident is a strong reminder for all developers: never bypass default WordPress security checks, such as file validation. One small mistake can put thousands of websites at risk.

We will share updates as soon as a patched version is released. For now, prioritize security—stay alert and keep your WordPress site safe.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post TI WooCommerce Wishlist Flaw: 100,000+ Sites at Risk appeared first on First Hackers News.

Discovered during a security assessment of version 7.2.1, the flaw affects all versions up to 7.3.1, making it essential for users to update to the latest secure release.

WordPress plugin vulnerability

According to Abrahack, the vulnerability was found in the wp_ajax_nopriv_{$action} hook, allowing unauthenticated access.

The gamipress_get_logs AJAX endpoint was specifically vulnerable, as it retrieves user logs and accepts parameters that can affect database queries.

The gamipress_ajax_get_logs function uses the $_REQUEST array, which is passed into the gamipress_logs_shortcode function, which then queries the database through the gamipress_logs_shortcode_query function and the CT_Query class.

The vulnerability targets the orderby HTTP Request parameter, which is passed unsafely into an SQL query.

Despite restrictions like stripping white spaces and disallowing quotes, attackers can still exploit this with carefully crafted payloads.

A boolean time-based SQLi payload was used to demonstrate the exploit, allowing attackers to infer database information without directly extracting data.

The vendor fixed this issue in version 7.3.2 by implementing a whitelist for the orderby parameter, allowing only predefined columns in the gamipress_logs table, preventing SQL injection.

This highlights the need to properly handle user inputs in WordPress plugins. Users should update to version 7.3.2 or later to avoid potential SQL injection attacks.

The post WordPress plugin vulnerability exposes websites to SQL injection appeared first on First Hackers News.

Known as CVE-2025-0912, this bug lets attackers take over sites without logging in by exploiting a deserialization issue in versions 3.19.4 and earlier.

All about the plugin vulnerability

The flaw comes from improper handling of the card_address field in donation forms.

Hackers can inject harmful PHP objects, using a technique called POP (Property-Oriented Programming) to run their own code and take full control of affected sites.

With a critical CVSS score of 9.8, this bug allows attackers to steal donor data, install backdoors, or hijack payments without needing to log in.

Researcher dream hard found the issue while reviewing the plugin’s code, warning that it’s easy to exploit and could lead to defaced sites, stolen funds, or full admin access within minutes.

GiveWP, used by nonprofits, religious groups, and political campaigns, handles millions in donations each year. A compromised site could face:

• Payment fraud through altered gateways
• Donor data leaks (names, emails, billing info)
• SEO poisoning with malicious redirects
• Full site takeover for phishing attacks

Wordfence detected active scans for vulnerable sites starting March 4, with at least three different attack methods seen. The plugin’s wide use by critical organizations makes timely patching essential.

Mitigation and Response

GiveWP released version 3.20.0 on March 4, fixing the flaw. Site admins should:

• Update to version 3.20.0
• Check logs for suspicious POST requests to /wp-json/give/v1/donations
• Revoke and regenerate payment API keys

Wordfence warns older versions should assume compromise and recommends full malware scans and donor account monitoring.

Critics noted the patch came 48 hours after public disclosure, raising concerns about plugin security.

As of March 5, over 7,000 sites are still unpatched, while proof-of-concept exploits are already circulating. Immediate action is crucial to avoid major damage.

The post 10,000+ WordPress sites exposed by donation plugin vulnerability appeared first on First Hackers News.