WordPress plugin with over a million installs may have a worrying security flaw - here's what we know

A critical WordPress plugin flaw allows threat actors to run arbitrary PHP commands, potentially taking over entire websites.
Bleeping Computer

Attackers use abandoned WordPress plugin to backdoor websites

Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors. Eval PHP is an old WordPress plugin that allows site admins to embed PHP ...
Hosted on MSN

Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack

Security researchers find high-severity flaw in popular WordPress plugin It allowed threat actors to run malicious code remotely A patch was released in late January 2025 Jupiter X Core, a popular ...
Threat Post

PHP Everywhere Bugs Put 30K+ WordPress Sites at Risk of RCE

The plug-in’s default settings spawned flaws that could allow for full site takeover but have since been fixed in an update that users should immediately install, Wordfence researchers said. Tens of ...
Lifehacker

Update This WordPress Plugin to Prevent a Site Takeover

Security researchers discovered a severe vulnerability present in older versions of the popular WordPress plugin Code Snippets that could allow attackers to take over a person’s website remotely. The ...
Threat Post

WordPress Page Builder Plugin Bugs Threaten 1 Million Sites with Full Takeover

Severe CSRF to XSS bugs open the door to code execution and complete website compromise. Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via ...
The Droid Guy

How to Identify Which WordPress Plugin or Theme Is Blocking Your PHP Update and Preventing a Smooth Upgrade

If you’ve logged into your WordPress dashboard and seen the warning that your site is running on PHP 7.4.33, you’re not alone. This outdated version no longer receives security updates, which makes ...