Enlarge (credit: Getty Images)

Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.

The vulnerability resides in WordPress Automatic , a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.

Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.

Enlarge / Beeper's new apps are now available, without waitlist, across nearly all mobile and desktop platforms.

Beeper, the multi-network messaging app that recently gave up on trying to engineer around Apple's walled-off iMessage service , has been acquired by Automattic , the company behind WordPress. It is now open to everyone and has a completely revamped Android app.

All of Beeper's workers will join Automattic and will continue operating as an independent team, according to a press release. Eric Migicovsky, creator of the Pebble smartwatch and co-founder of Beeper, will become Automattic's head of messaging. Beeper and Texts.com , acquired last year by Automattic, will work together.

Given that Texts.com provides a similar "all your chats in one place" function but also an iMessage bridge using an app you run on your own Apple computers, it's likely that Beeper and Texts will consolidate into one platform that more closely hews to the "all" part of the companies' mission statements.

Enlarge (credit: Getty Images )

Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.

The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag . The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.

Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan , the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.

Enlarge (credit: Getty Images)

All-In-One Security, a WordPress security plugin installed on more than 1 million websites, has issued a security update after being caught three weeks ago logging plaintext passwords and storing them in a database accessible to website admins.

The passwords were logged when users of a site using the plugin, typically abbreviated as AIOS, logged in, the developer of AIOS said Thursday . The developer said the logging was the result of a bug introduced in May in version 5.1.9. Version 5.2.0 released Thursday fixes the bug and also “deletes the problematic data from the database.” The database was available to people with administrative access to the website.

A major security transgression

A representative of AIOS wrote in an email that “gaining anything from this defect requires being logged in with the highest-level administrative privileges, or equivalent. i.e. It can be exploited by a rogue admin who can already do such things because he's an admin.”

Enlarge (credit: Erika Goldring / Contributor | Getty Images North America )

Over the past week, backlash erupted on LinkedIn , in a thread where passionate open source developers began criticizing Pantheon. The developers and other Pantheon supporters commenting had just discovered that the website operations platform—which hosts more than 700,000 websites—is currently hosting websites for hugely influential anti-LGBTQ and anti-immigration organizations that have been designated as hate groups by the Southern Poverty Law Center (SPLC).

The controversy sparked after a digital strategist, Greg Dunlap, posted a link to SPLC’s page designating a Christian conservative legal advocacy group, Alliance Defending Freedom (ADF), as a hate group for its views on the LGBTQ community. On the page, SPLC described ADF as supporting “recriminalization of sexual acts between consenting LGBTQ adults in the US and criminalization abroad,” defending “state-sanctioned sterilization of trans people abroad,” and claiming that a “homosexual agenda” will “destroy Christianity and society.”

In his LinkedIn post, Dunlap tagged Pantheon co-founders Josh Koenig and Zack Rosen, and asked them why Pantheon is hosting a website for the alleged hate group. ADF also has ties to high-ranking Republicans and has influenced Supreme Court opinions (including the decision to overturn Roe v. Wade ).

Enlarge (credit: Getty Images)

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote: