Author: Fioravante Souza

  • A persistent twist in the current Malware Campaign

    Recently while covering malware campaigns exploiting the LiteCache and WP‑Automatic WordPress plugins, we found that attackers were installing php‑everywhere, a plugin that allows users to run arbitrary PHP code in their site’s posts. This plugin was closed on April 25th per its author’s request. The reasoning behind this installation was to have persistent malware on the More

  • Unauthenticated File Upload Vulnerability Addressed in Royal Elementor Addons and Templates 1.3.79

    During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr‑addons/forms/ directory. As we reviewed the plugin it was found that the upload ajax action wasn’t properly validating the More

  • Hacking Campaign Actively Exploiting Ultimate Member Plugin

    UPDATE (2023‑07‑03): A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible. You can find Ultimate Member’s incident postmortem here. Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in the More

  • Fake plugin affecting WordPress sites

    Bad actors are abusing leaked and compromised credentials to install core-stab fake plugin on WordPress sites. More