// #wordpress
6 articles
WishList Member WordPress Plugin: Four CVSS 8.8 Vulnerabilities Enable Subscriber-to-Admin Escalation on 100,000+ Sites
Wordfence published advisories for four CVSS 8.8 authorization failure vulnerabilities in WishList Member, a WordPress membership plugin with 100,000+ active installs, on 23 May 2026. Subscriber-level authenticated attackers can exploit the flaws to escalate to administrator access, read sensitive member data, and modify arbitrary site content. Patches are available.
WordPress Plugin Security Is an Enterprise Problem That Keeps Getting Treated as a Web Developer Problem
Four CVSS 8.8 vulnerabilities in a 100,000-install WordPress plugin — discoverable by any registered member with a subscriber account — highlight the structural mismatch between how WordPress CMS security is governed in enterprise organisations and the actual risk it carries. Membership sites, intranet portals, and course platforms built on WordPress process regulated data and host privileged access, but rarely receive enterprise-grade security governance.
Burst Statistics WordPress Plugin Authentication Bypass Actively Exploited for Mass Site Takeovers
Threat actors are actively exploiting an authentication bypass vulnerability in the Burst Statistics WordPress analytics plugin, allowing unauthenticated attackers to gain administrative access to any WordPress site with the plugin installed. Over 100,000 WordPress sites use Burst Statistics. Sites have been observed being defaced, backdoored, and redirected to malicious domains within hours of exploitation.
GoDaddy ManageWP Credentials Targeted by AiTM Phishing Campaign via Malicious Google Ads
A real-time adversary-in-the-middle phishing campaign is targeting GoDaddy ManageWP administrators through malicious Google search advertisements that appear above legitimate results for ManageWP login queries. The campaign steals session tokens via a real-time proxy, bypassing MFA, and uses Telegram for credential exfiltration. Each compromised ManageWP account typically controls hundreds of WordPress sites, making this a high-leverage credential theft campaign.
WordPress Redirect Plugin Carried Dormant Backdoor for Three Years Before Activation
Researchers have uncovered a dormant backdoor in a widely-installed WordPress redirect management plugin that remained inactive for approximately three years before being activated by the attackers. The backdoor, present across an estimated 200,000+ active installations, highlights the long-game threat of supply chain compromise in the WordPress plugin ecosystem and the limits of periodic security scanning.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.