A massive supply chain attack has been uncovered in the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations.
Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites.
The malicious code bypassed official security checks by leveraging a custom remote update checker, effectively turning the plugin into a vehicle for parasite SEO and remote code execution.
The investigation began when routine security audits on a hosting fleet flagged anomalies in plugin version 5.2.3.
While the affected websites reported running version 5.2.3, the file hashes did not match those of the official release on the WordPress repository.
The tampered files contained an unauthorized function that reached out to a third-party server and injected returned content directly into website pages.
To evade detection, the injection was specifically hidden from logged-in administrators and only triggered for regular visitors and search engine crawlers.
The compromise was executed through a highly sophisticated, multi-stage process involving two distinct backdoors.
The active backdoor was a bundled copy of a plugin update checker library configured to poll a server controlled by the developer, rather than the official WordPress infrastructure.
This mechanism allowed the malicious actor to push unauthorized updates with full administrative privileges.
The passive backdoor was the injected payload itself, which quietly fetched and displayed hidden content from a remote command-and-control server.
Although the command-and-control server is currently offline and the backdoor is dormant, the update mechanism remains fully functional and could be reactivated at any time.
Extensive analysis of the plugin’s commit history revealed that the attack was orchestrated by the plugin’s original author, anadnet.
The developer intentionally committed the malicious self-updater to the official repository in late 2020, allowing it to propagate to thousands of websites.
Months later, the author distributed the tampered payload through their private server before quietly removing the custom updater from the official source code.
This deliberate maneuver erased obvious traces of the compromise from the official repository while leaving existing installations permanently tethered to the attacker’s infrastructure.
The WordPress plugin review team temporarily pulled the Quick Page/Post Redirect Plugin from the directory in April 2026 pending a full investigation.
Since attackers can spoof version numbers, traditional vulnerability scanners often fail to detect this type of supply chain compromise.
According to a report by Austin Ginder at Anchor, administrators should use the built-in WordPress command-line tool to verify plugin checksums against the official repository.
Any mismatch indicates a compromised file, and security experts recommend completely uninstalling the affected plugin in favor of actively maintained alternatives.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post WordPress Plugin Hacked Since 2020 to Inject Malicious Code Silently appeared first on Cyber Security News.
A long-dormant backdoor has been uncovered in the “Quick Page/Post Redirect Plugin,” a popular WordPress add-on with over 70,000 active installations. The tampered plugin, specifically version 5.2.3, contained two distinct malicious features. First, it featured a passive content injection mechanism. On every page viewed by a logged-out user, the plugin connected to a third-party server […]
The post Backdoored WordPress Plugin Abuses Remote Update Checker for Silent Code Delivery appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Hackers secretly planted a remote code-execution backdoor in more than 30 popular WordPress plugins, leaving it dormant for about 8 months before activating malware that rewrote wp-config.php and injected cloaked SEO spam at scale. The incident centers on “Essential Plugin,” a portfolio of 30+ free plugins with paid upgrades used for sliders, countdown timers, FAQs, […]
The post Trusted WordPress Plugins Hijacked in 8-Month Stealth Backdoor Campaign appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A newly disclosed vulnerability, tracked as CVE-2026-1492, has been identified in the User Registration & Membership plugin for WordPress, exposing websites to critical authentication bypass and privilege escalation risks. Affecting versions up to 5.1.2, the vulnerability allows remote attackers to gain full administrative access without valid credentials. The affected plugin, widely used to manage user registration and membership […]
The post WordPress Plugin Vulnerability Enables Admin Takeover via Auth Bypass appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A critical security flaw in the popular WordPress plugin “Ninja Forms – File Upload” has left approximately 50,000 websites vulnerable to complete takeover.
Tracked as CVE-2026-0740, this flaw boasts a maximum CVSS severity score of 9.8, making it a severe threat that requires immediate attention from website administrators.
Discovered by security researcher Sélim Lanouar, who earned a $2,145 bug bounty for the find, the vulnerability is classified as an Unauthenticated Arbitrary File Upload.
In simple terms, this means that anyone on the internet can upload malicious files to a target website without needing an account, username, or password.
If successfully exploited, an attacker can achieve Remote Code Execution (RCE), granting them total control over the underlying web server.
The Ninja Forms File Upload addon is designed to manage user file submissions via the specific PHP function handle_upload().
When processing these files, this function calls the _process() method to move the temporary uploaded files to their final destination folder on the server.
While the plugin attempts to verify the original uploaded file’s file type, a critical oversight occurs just before the file is saved.
The code fails to validate the destination filename’s file extension during the move_uploaded_file() operation. Furthermore, the plugin lacks proper filename sanitization.
This dangerous combination allows a clever attacker to manipulate the file path, a technique known as path traversal.
By doing so, they can bypass the intended restrictions and upload highly dangerous .php files directly into the website’s root directory, completely bypassing the normal safety checks.
Once a malicious PHP script, often called a webshell, is successfully uploaded and executed, the consequences are disastrous.
The attacker gains the ability to execute terminal commands directly on the web server, leading to a complete site compromise.
From there, threat actors can steal sensitive database information, inject malware into legitimate pages, redirect visitors to malicious spam sites, or use the compromised server to launch further cyberattacks against other targets.
The vulnerability impacts all versions of the Ninja Forms File Upload plugin up to and including version 3.3.26.
Wordfence initially received the bug report and quickly rolled out firewall protections for premium users on January 8, 2026, and extended those protections to free users by February 7.
The plugin developers worked to resolve the issue, releasing a partial fix in version 3.3.25 and a final, complete patch in version 3.3.27 on March 19, 2026.
If you manage a WordPress website using this specific Ninja Forms addon, it is crucial to update the plugin to version 3.3.27 or higher immediately.
Because this critical flaw requires no authentication and is straightforward for attackers to exploit, unpatched sites remain easy targets for automated web-scanning scripts.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 50,000 WordPress Sites Exposed to Critical Ninja Forms File Upload RCE Vulnerability appeared first on Cyber Security News.
A new supply chain attack targeting developers after threat actors compromised the official WordPress domain for ILSpy on April 6, 2026. Instead of providing the legitimate software, the hijacked website began redirecting visitors to a malicious webpage to deliver malware.
Normally, clicking the download button on the ILSpy website sends users directly to the project’s official GitHub repository.
During this compromise, attackers altered the site’s underlying links. Users looking to download the developer tool were unexpectedly routed to a third-party domain.
Once on this malicious page, visitors received a prompt instructing them to install a specific browser extension to continue their download.
This is a classic bait-and-switch tactic. By exploiting the trust developers place in the official ILSpy domain name, the attackers successfully tricked victims into dropping their guard and bypassing normal security checks.
While browser extensions might seem less dangerous than traditional executable files, they pose a severe security risk.
Once installed, malicious extensions can act as powerful spyware. They can silently steal session cookies, capture typed passwords, and monitor web traffic.
For a software developer, this could mean accidentally exposing their company’s source code, internal networks, or cloud infrastructure credentials to remote threat actors.
An independent security researcher known as RootSuccess first captured the attack on video and reported it to vx-underground, which issued a public alert around 1:22 AM EST.
Shortly after the disclosure gained traction on social media, the compromised ILSpy WordPress site was taken offline. As of this writing, the domain is returning a 502 Bad Gateway error, effectively preventing further infections.
Security researchers are currently analyzing the malicious browser extension to extract Indicators of Compromise (IoCs) and understand the full technical scope of the payload.
This incident highlights an escalating trend in the cybersecurity landscape, and developers are the ultimate target.
While the security community often focuses on poisoned npm packages or malicious Python libraries, this attack proves that traditional web vulnerabilities remain highly effective entry points.
A simple WordPress compromise allowed hackers to intercept the software supply chain at the point of download. Security experts point out that the predictable nature of the attack, exploiting content management systems to set up redirect chains, is an old tactic.
However, pairing it with trusted developer tools creates a highly effective trap. To protect against similar watering hole and supply chain attacks, developers should adopt a few simple precautions:
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Compromised ILSpy WordPress Domain to Deliver Malware appeared first on Cyber Security News.
The official WordPress website for ILSpy, a highly popular open-source tool used by software developers to examine .NET code, has been compromised. Hackers successfully breached the site to redirect visitors and deliver malware, turning a trusted developer resource into a dangerous trap. The Redirection Attack Cybersecurity research group vx-underground confirmed the breach after receiving video […]
The post Hackers Breach ILSpy WordPress Domain to Deliver Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A high-severity security flaw has been disclosed in Smart Slider 3, one of the most widely used WordPress slider builder plugins.
With over 800,000 active installations, this vulnerability leaves a massive number of websites exposed to severe data theft.
Tracked as CVE-2026-3098, this medium-severity flaw allows attackers with minimal permissions to access and download highly sensitive configuration files directly from the hosting server.
This vulnerability is particularly dangerous for sites that allow open user registration, as any standard subscriber account can be leveraged to execute an attack.
The vulnerability, categorized as an Authenticated Arbitrary File Read, exists deeply within the plugin’s export functionality. Specifically, the underlying flaw resides in the actionExportAll() function within the ControllerSliders class.
In a normal workflow, this process relies on multiple AJAX requests to compile and download a slider export ZIP file containing images and configuration settings.
While one of these critical actions is protected by a security nonce, authenticated attackers can easily obtain this token in vulnerable versions of the plugin.
More critically, the AJAX functions lack proper capability checks that verify the user’s role before executing the code.
This oversight allows any authenticated user, even those with basic subscriber-level access, to trigger the export action without requiring administrative privileges.
Furthermore, the create () function responsible for building the export zip fails to validate the source or type of the files being added to the archive.
Because the system does not restrict exports exclusively to safe media like image or video files, threat actors can weaponize the feature to export core server files.
This means attackers can easily extract .php extensions, completely bypassing intended WordPress security restrictions. The primary and most critical threat posed by this vulnerability is the potential exposure of the site’s core wp-config.php file.
If an attacker successfully downloads this file, they gain immediate access to database credentials, as well as the cryptographic keys and salts used to secure user sessions.
Armed with this sensitive information, a threat actor could easily bypass authentication, escalate their privileges, and take complete control of the affected web server.
Security researcher Dmitrii Ignatyev discovered the flaw and responsibly reported it through the Wordfence Bug Bounty Program on February 23, 2026, earning a well-deserved $2,208 reward.
Wordfence responded instantly, providing a protective firewall rule to its Premium, Care, and Response users on February 24 to block any incoming exploit attempts.
Sites utilizing the free version of Wordfence received the same protection exactly 30 days later, on March 26, 2026.
The plugin developers at Nextend acknowledged the report. They responded promptly to the disclosure, releasing a fully patched version on March 24, 2026.
Website administrators are strongly urged to update their Smart Slider 3 plugin to version 3.5.1.34 immediately to secure their environments against potential exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post WordPress Plugin Vulnerability Exposes Sensitive Data From 800,000+ Sites appeared first on Cyber Security News.
A severe security flaw has been disclosed in Smart Slider 3, a highly popular WordPress plugin currently active on more than 800,000 websites. Discovered by security researcher Dmitrii Ignatyev, this vulnerability enables authenticated attackers to read arbitrary files directly from the hosting server. If exploited, the flaw exposes critical backend infrastructure to unauthorized users. Vulnerability […]
The post WordPress Plugin Flaw Exposes Sensitive Data Across 800,000+ Sites appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
An unauthenticated SQL injection flaw, tracked as CVE-2026-2413 (CVSS score 7.5), in Ally plugin could allow attackers to steal sensitive data. The offensive security engineer Drew Webber at Acquia discovered the vulnerability on February 4, 2026.
Ally (formerly One Click Accessibility) is a free WordPress plugin that helps creators build accessible websites. It offers an accessibility scanner with AI suggestions, a usability widget for visitors, and an automated accessibility statement generator. T
The flaw could allow attackers to extract sensitive database data, including password hashes. The issue was responsibly reported by Drew Webber through the Wordfence Bug Bounty Program, earning an $800 bounty. Wordfence notified Elementor on February 13, the vendor acknowledged the report on February 15, and released a patch on February 23, 2026.
Users are urged to update to Ally version 4.1.0 to mitigate the risk.
The vulnerability stems from insecure handling of the subscribers query in Ally. The plugin builds a SQL JOIN query using a page URL parameter without using WordPress’ wpdb->prepare() function, which normally escapes and parameterizes queries.
Although esc_url_raw() is used, it does not prevent SQL injection. This flaw allows attackers to inject malicious SQL. By exploiting it with time-based blind SQL injection, using CASE statements and SLEEP() delays, an attacker could gradually extract sensitive information from the database.
“The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3.” reads the advisory published by WordFence. “This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. “
The development team addressed the issue by using the wpdb prepare() function in the JOIN statement.
“The vulnerability has been addressed in version 4.1.0 of the plugin.” concludes the advisory. “We encourage WordPress users to verify that their sites are updated to the latest patched version of Ally as soon as possible considering the critical nature of this vulnerability.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
Entrar