A critical security flaw, known as CVE-2024-1071, has been found in the Ultimate Member plugin for WordPress. This vulnerability, with a CVSS score of 9.8, poses a significant risk to over 200,000 active installations. It potentially enables attackers to extract sensitive data from compromised databases, presenting a severe threat to website security.

VikRentCar is a popular car rental management system that is also available as a WordPress plugin. The plugin provides a hassle-free and reliable rent reservation system for cars, scooters, motorbikes, boats, and any other vehicles.

A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control. Security researchers at Wordfence found two critical flaws in the POST SMTP Mailer plugin. The first flaw made it possible for attackers to reset the plugin's authentication API key and view sensitive logs (including password reset emails) on the affected website. A malicious hacker exploiting the flaw could access the key after triggering a password reset.

43% of all websites are built in WordPress (W3Techs). Custom WordPress sites rely on plugins, themes, and other components determined by the website administrators. Because these extensible components are often created by third-parties, each custom addition is a potential attack vector that needs to be monitored and updated to maintain a secure website. Website security is a critical aspect of your cybersecurity posture.

A zero-day vulnerability, denoted by the CVE identifier CVE-2023-30777, exposes a dangerous reflected cross-site scripting (XSS) flaw. This high-severity vulnerability has been discovered within the WordPress plugin (Advanced Custom Fields (ACF) and Advanced Custom Fields Pro). The CVE-2023-30777 exposes over 2 million installations to security risks, triggering widespread concern and anxiety among website owners and administrators.

Jetpack, an extremely popular WordPress plugin that provides a variety of functions including security features for around five million websites, has received a critical security update following the discovery of a bug that has lurked unnoticed since 2012. Jetpack's maintainers, Automattic, announced on Tuesday that it had worked closely with the WordPress security team to push out an automatic patch for every version of Jetpack since 2.0.

By default, the WordPress administrative login page displays a helpful error message whenever an account user types in the wrong username/email address or password. Unfortunately, these same helpful error messages can also be abused to assist a threat actor to validate account usernames/email addresses and/or passwords. An incorrect username/password guess combination generates the following error message: “The username ‘name-entered’ is not registered on this site”.

Read also: Microsoft fixes a Windows zero-day, the US sanctions Iranian hackers linked to ransomware attacks, and more.