A critical vulnerability in the W3 Total Cache WordPress plugin allows attackers to execute PHP commands on affected servers by submitting malicious comments. The flaw, tracked as CVE-2025-9501, impacts all versions before 2.8.13, and users are urged to update immediately to avoid exploitation.

A security flaw in the Post SMTP WordPress plugin has put around 400,000 sites at risk of account takeover. Attackers can exploit this vulnerability to gain unauthorized access to user accounts. Site owners need to update the plugin immediately to protect their sites.

A severe vulnerability in the ACF Extended plugin allows unauthenticated attackers to gain admin permissions on WordPress sites. Exploitation hinges on a flaw in the user creation and update forms, which fail to enforce role restrictions. Approximately 50,000 sites remain at risk despite a patch released shortly after the issue was identified.

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress has a serious vulnerability that lets subscribers access any file on the server, risking exposure of sensitive information. Versions 4.23.81 and earlier are affected, but a patch was released shortly after the issue was reported. Users are advised to update their plugin to avoid potential attacks.

Hackers have begun exploiting a critical authentication bypass vulnerability in the OttoKit WordPress plugin just hours after its public disclosure. Users are urged to upgrade to version 1.0.79 to prevent unauthorized access, as attackers can create new admin accounts without authentication. Swift action is necessary to mitigate the risk of full site takeover following the flaw's identification as CVE-2025-3102.

More than 200,000 WordPress websites are at risk due to a vulnerability in the Post SMTP plugin that allows low-privileged users to hijack administrator accounts. The flaw, identified as CVE-2025-24000, stems from inadequate permission checks in the plugin's REST API, enabling unauthorized access to sensitive email logs. Although a fix was released in version 3.3.0, many users have yet to update, leaving them exposed to potential attacks.

A critical vulnerability (CVE-2025-5947) in the Service Finder WordPress theme allows attackers to bypass authentication and gain administrator access, leading to significant exploitation attempts. With over 13,800 attempts recorded, users are urged to update to version 6.1 or discontinue use of the theme to mitigate risks.

A critical vulnerability in the Forminator plugin for WordPress, tracked as CVE-2025-6463, allows unauthenticated arbitrary file deletion, which could lead to full site takeover. The issue affects all versions up to 1.44.2 and is due to insufficient input validation, enabling attackers to delete essential files like wp-config.php. Users are urged to update to version 1.44.3 to mitigate the risk.

Hackers are exploiting a critical unauthenticated file upload vulnerability in the WordPress theme 'Alone,' enabling remote code execution and site takeovers. Wordfence has recorded over 120,000 exploitation attempts, and a patched version of the theme was released following the discovery of the flaw. Users are advised to update to version 7.8.5 to mitigate risks associated with this vulnerability.