Hackers have begun exploiting a critical authentication bypass vulnerability in the OttoKit WordPress plugin just hours after its public disclosure. Users are urged to upgrade to version 1.0.79 to prevent unauthorized access, as attackers can create new admin accounts without authentication. Swift action is necessary to mitigate the risk of full site takeover following the flaw's identification as CVE-2025-3102.

More than 200,000 WordPress websites are at risk due to a vulnerability in the Post SMTP plugin that allows low-privileged users to hijack administrator accounts. The flaw, identified as CVE-2025-24000, stems from inadequate permission checks in the plugin's REST API, enabling unauthorized access to sensitive email logs. Although a fix was released in version 3.3.0, many users have yet to update, leaving them exposed to potential attacks.

A critical vulnerability (CVE-2025-5947) in the Service Finder WordPress theme allows attackers to bypass authentication and gain administrator access, leading to significant exploitation attempts. With over 13,800 attempts recorded, users are urged to update to version 6.1 or discontinue use of the theme to mitigate risks.

A new malware strain has emerged that targets WordPress sites by mimicking Cloudflare's checkout pages, potentially deceiving users into entering sensitive information. This malware exploits vulnerabilities in e-commerce platforms, posing a significant risk to both site owners and customers. Website administrators are urged to enhance their security measures to prevent such attacks.

A critical vulnerability in the Forminator plugin for WordPress, tracked as CVE-2025-6463, allows unauthenticated arbitrary file deletion, which could lead to full site takeover. The issue affects all versions up to 1.44.2 and is due to insufficient input validation, enabling attackers to delete essential files like wp-config.php. Users are urged to update to version 1.44.3 to mitigate the risk.

WPAUDIT is a comprehensive WordPress security audit tool aimed at ethical hackers and security professionals, offering advanced features for vulnerability scanning and penetration testing. Its modular architecture allows for customizable scan profiles and integration with various security tools, making it an essential resource for thorough security assessments of WordPress installations. The documentation provides detailed guidance on setup, usage, and extending its functionalities.

Hackers are exploiting a critical unauthenticated file upload vulnerability in the WordPress theme 'Alone,' enabling remote code execution and site takeovers. Wordfence has recorded over 120,000 exploitation attempts, and a patched version of the theme was released following the discovery of the flaw. Users are advised to update to version 7.8.5 to mitigate risks associated with this vulnerability.