Everest Forms Pro WordPress Flaw is Handing Attackers Admin Access
Hackers exploit CVE-2026-3300 in Everest Forms Pro to inject PHP via form fields, creating rogue admin accounts. 29,300 attempts blocked.
WordPress
20 articles
Everest Forms Vulnerability Exploited to Hack WordPress Sites
The flaw allows attackers to execute arbitrary code remotely and has been exploited in the wild for two months. The post Everest Forms Vulnerability Exploite...
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 100
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter Malw...
Critical Everest Forms Pro flaw exploited to take over WordPress sites
Hackers are actively exploiting a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin, which lets them take complete control of a WordPres...
Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites
Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arb...
[webapps] WordPress Contest Gallery 28.1.4 - Unauthenticated Blind SQL Injection
WordPress Contest Gallery 28.1.
Everest Forms Pro Vulnerability Allows Remote Code Execution on WordPress Sites
Critical Everest Forms Pro RCE flaw exploited to create rogue WordPress admin accounts
WordPress Kirki plugin vulnerability allows account takeover
The vulnerability, present in Kirki versions 6.0.
Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin
On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 ac...
WordPress Plugin Flaw Opens Door to Privilege Escalation Attacks Across 500,000+ Sites
A critical security flaw in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin is exposing sites to account takeover and privil...
Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, includi...
New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions
GoDaddy researchers found WordPress malware using Steam Community profile comments to hide encoded command and control data, with nearly 1,980 sites affected.
GoDaddy found malware on 1,980 WordPress sites using Steam as C2 infrastructure
Malware on approximately 2,000 WordPress sites hid C2 instructions in Steam profile comments using invisible Unicode. GoDaddy researchers spotted a command-a...
Malware hides in Steam comments to infect WordPress sites
The malware campaign, discovered in July 2025, has affected approximately 1,980 WordPress sites.
WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites
The security defect (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on the affected installations. The post WP Maps Pro Vu...
WordPress malware campaign hides payloads in Steam profiles
Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data. [.
Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin
On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has m...
[webapps] WordPress OrderConvo 14 - Path Traversal
WordPress OrderConvo 14 - Path Traversal
WP Maps Pro bug exploited to create admin accounts on WordPress sites
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without a...
[webapps] Quick Playground for WordPress 1.3.1 - Unauthenticated Remote Code Execution
Quick Playground for WordPress 1.3.