Wordfence Security News

Wordfence

Wordfence Security News is a weekly cybersecurity news podcast covering the top news stories from the world of WordPress security and the broader cybersecurity threat landscape. Hosted by cybersecurity expert and Wordfence researcher Alex Thomas.

  1. WordPress Plugin Supply Chain Attacks, Ivanti CVSS 10 & phpBB Hijacks | Wordfence Security News #12

    26 juni

    WordPress Plugin Supply Chain Attacks, Ivanti CVSS 10 & phpBB Hijacks | Wordfence Security News #12

    WordPress Supply Chain Attacks, Ivanti Root Flaw, and phpBB Account Takeovers This week in Wordfence Security News (Week of June 15, 2026): ShapedPlugin's paid pro plugins were backdoored via the vendor's update system, stealing passwords and 2FA secretsOptinMonster, TrustPulse, and PushEngage served a tampered CDN script that targeted logged-in adminsOracle PeopleSoft zero-day exploited by ShinyHunters hit 300+ systems, 68% in higher educationIvanti Sentry CVSS 10 OS command injection flaw gives attackers root, added to CISA KEVLangflow AI app builder path traversal flaw now actively exploited against unpatched instancesphpBB authentication bypass lets attackers hijack any account with just a username and one requestTimestamps: 0:00 Introduction 0:42 ShapedPlugin Multiple Plugins Supply Chain Compromised 5:11 OptinMonster / TrustPulse / PushEngage Tampered Script Served via Compromised CDN 7:48 Oracle PeopleSoft Zero-Day Exploited by ShinyHunters 10:17 Ivanti Sentry CVSS 10 RCE Added to KEV 11:53 Langflow RCE Actively Exploited Against Exposed AI App Builders 13:46 phpBB Authentication Bypass Lets Attackers Hijack Accounts Story Links: ShapedPlugin Multiple Plugins Supply Chain CompromisedOptinMonster / TrustPulse / PushEngage Tampered Script Served via Compromised CDNOracle PeopleSoft Zero-Day Exploited by ShinyHuntersIvanti Sentry CVSS 10 RCE Added to KEVLangflow RCE Actively Exploited Against Exposed AI App BuildersphpBB Authentication Bypass Lets Attackers Hijack AccountsStay informed and secure: get the latest Wordfence Security News on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    16 min
  2. Kirki & UpdraftPlus Exploits, Miasma Supply Chain Worm & 3 Zero-Days | Wordfence Security News #11

    18 juni

    Kirki & UpdraftPlus Exploits, Miasma Supply Chain Worm & 3 Zero-Days | Wordfence Security News #11

    Kirki & UpdraftPlus Exploited, Miasma Supply Chain Worm & 3 Zero-Days | Wordfence Security News #11 In this episode of Wordfence Security News: Kirki's password reset endpoint lets unauthenticated attackers redirect admin reset links to any inbox, enabling full account takeover.UpdraftPlus UpdraftCentral auth bypass allows unauthenticated attackers to install plugins and achieve remote code execution on connected sites.Check Point Remote Access VPN zero-day exploited since May 7 lets attackers bypass credentials entirely; one intrusion tied to Qilin ransomware affiliate.Cisco Catalyst SD-WAN Manager zero-day command injection, chainable with two auth bypasses, lets attackers push rogue config to all edge devices as root.Chrome 149 patches 429 vulnerabilities - nearly triple the previous record - including 22 critical CVEs, with $208,000 in bounty rewards paid out.Miasma supply chain worm hit 113+ GitHub repositories by planting AI coding tool config files that exfiltrate cloud credentials on folder open. Timestamps: 0:00 Introduction 0:39 Kirki Password Reset Exploit Goes Live 2:59 UpdraftPlus UpdraftCentral Auth Bypass to RCE 6:50 Check Point VPN Zero-Day Exploited by Qilin Ransomware Affiliate 8:59 Cisco SD-WAN Manager Zero-Day Exploited to Gain Root 11:20 Chrome 149 Ships Record Browser Security Update 13:20 Miasma Worm Targets Developer Workflows and AI Coding Tools Story Links: Kirki Password Reset Exploit Goes LiveUpdraftPlus UpdraftCentral Auth Bypass to RCECheck Point VPN Zero-Day Exploited by Qilin Ransomware AffiliateCisco SD-WAN Manager Zero-Day Exploited to Gain RootChrome 149 Ships Record Browser Security UpdateMiasma Worm Targets Developer Workflows and AI Coding Tools Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    16 min
  3. Wordfence Security News #10 - WPMaps Pro Exploited, Palo Alto VPN Bug, and AI Agent-Driven Intrusion

    10 juni

    Wordfence Security News #10 - WPMaps Pro Exploited, Palo Alto VPN Bug, and AI Agent-Driven Intrusion

    Wordfence Security News #10 - WPMaps Pro Exploited, Palo Alto VPN Bug, and AI Agent-Driven Intrusion This week in Wordfence Security News (Week of June 1, 2026): WP Maps Pro flaw lets unauthenticated attackers forge admin accounts; exploitation began May 19th, before public disclosure.Palo Alto PAN-OS GlobalProtect authentication bypass under active attack; CISA added it to KEV with a June 1st federal patch deadline.FortiClient EMS exploited post-patch to push EKZ infostealer disguised as a Fortinet update to managed endpoints.Sysdig documented the first captured intrusion where an LLM agent drove post-compromise activity in real time via unpatched Marimo.Flowise one-click RCE lets a malicious chatflow execute code on import; self-hosted installs at risk via STDIO MCP execution path.Timestamps: 0:00 Introduction 0:34 WP Maps Pro Unauthenticated Admin Account Creation (CVE-2026-8732) 3:00 Palo Alto PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) 5:36 FortiClient EMS Exploited to Deliver EKZ Infostealer (CVE-2026-35616) 7:11 First Documented LLM-Agent-Driven Intrusion (Marimo, CVE-2026-39987) 9:32 Flowise One-Click RCE and the MCP stdio Execution Problem (CVE-2026-40933) Story Links: WP Maps Pro Unauthenticated Admin Account Creation (CVE-2026-8732)Palo Alto PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)FortiClient EMS Exploited to Deliver EKZ Infostealer (CVE-2026-35616)First Documented LLM-Agent-Driven Intrusion (Marimo, CVE-2026-39987)Flowise One-Click RCE and the MCP stdio Execution Problem (CVE-2026-40933)Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    12 min
  4. WooCommerce RCE | Drupal SQLi | Ghost CMS Clickfix Attack | Wordfence Security News | May 25, 2026

    4 juni

    WooCommerce RCE | Drupal SQLi | Ghost CMS Clickfix Attack | Wordfence Security News | May 25, 2026

    WooCommerce RCE active exploitation, Drupal SQL injection attacks, Microsoft Defender zero-days, Ghost CMS ClickFix campaign, TrapDoor supply chain, Nimbus Manticore backdoor. This week in Wordfence Security News (Week of May 25, 2025): WooCommerce Custom Product Add-ons Pro RCE flaw (CVE-2026-4001) is under active attack, with exploit attempts spiking May 23-27 against the 21,000-install plugin.Drupal Core SQL injection (CVE-2026-9082) hit 6,000 sites across 65 countries within 48 hours of patch release, with attackers exploiting PostgreSQL-backend installs.Microsoft issued emergency out-of-band Defender patches for two exploited zero-days - RedSun and UnDefend - after a researcher published proof-of-concept exploits without coordinated disclosure.Over 700 Ghost CMS sites were compromised via a ClickFix campaign exploiting a SQL injection flaw discovered by Claude Opus 4.6 during Anthropic security testing.TrapDoor cross-ecosystem supply chain campaign spread across NPM, PyPI, and Crates.io with 34-plus malicious packages stealing SSH keys, cloud credentials, and crypto wallet data.Iranian state-aligned Nimbus Manticore ran three campaign waves since late February, deploying a new AI-assisted MiniFast backdoor via phishing, trojanized Zoom installers, and search engine poisoning.Timestamps: 0:00 Introduction 0:31 WooCommerce Custom Product Add-ons Pro RCE Active Exploitation 2:06 Drupal Core SQL Injection Active Exploitation 4:37 Microsoft Defender RedSun and UnDefend Zero-Days 7:11 Ghost CMS ClickFix Campaign 9:43 TrapDoor Cross-Ecosystem Supply Chain Campaign 11:43 Nimbus Manticore AI-Assisted MiniFast Backdoor Story Links: WooCommerce Custom Product Addons Pro RCE (CVE-2026-4001)Drupal Core SQL Injection (CVE-2026-9082)Microsoft Defender RedSun and UnDefend Zero-Days (CVE-2026-41091, CVE-2026-45498)Ghost CMS ClickFix Campaign (CVE-2026-26980)TrapDoor Cross-Ecosystem Supply Chain CampaignNimbus Manticore AI-Assisted MiniFast Backdoor Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    14 min
  5. Burst Statistics Bypass Threatens 200,000 WordPress Sites | Microsoft Exchange Zero-Day Under Active Exploitation | Critical Cisco SD-WAN Controller Flaw Exploited | Shai-Hulud Worm Source Code Open-Sourced | Wordfence Security News | Week of May 18, 20

    22 maj

    Burst Statistics Bypass Threatens 200,000 WordPress Sites | Microsoft Exchange Zero-Day Under Active Exploitation | Critical Cisco SD-WAN Controller Flaw Exploited | Shai-Hulud Worm Source Code Open-Sourced | Wordfence Security News | Week of May 18, 20

    This week in Wordfence Security News (Week of May 18, 2026): Burst Statistics plugin auth bypass lets unauthenticated attackers impersonate admins; Wordfence blocked 88,000+ requests across 376 sites.Microsoft Exchange OWA zero-day XSS flaw under active exploitation with no permanent patch; CISA deadline set for May 29th.Cisco Catalyst SD-WAN auth bypass exploited by UAT-8616; CISA gave federal agencies three days to patch under Emergency Directive 26-03.ChromaDB pre-auth RCE loads attacker-controlled AI models before the auth check runs; 73% of exposed instances run a vulnerable version.Shai-Hulud worm source code released on GitHub by TeamPCP; copycat packages appeared on NPM within days of publication.node-ipc npm package with 800,000 weekly downloads was compromised via an attacker re-registering a maintainer's expired email domain.Timestamps: 0:00 Introduction0:37 Burst Statistics Auth Bypass Threatens 200K WordPress Sites2:52 Microsoft Exchange OWA Zero-Day Under Active Exploitation5:24 Critical Cisco Catalyst SD-WAN Controller Auth Bypass Under Attack7:11 ChromaDB Pre-Auth RCE Allows AI Vector Database Server Takeover9:24 Shai-Hulud Worm Source Code Released on GitHub11:02 node-ipc npm Package Compromised via Expired Maintainer Domain Story Links: Burst Statistics Auth Bypass Threatens 200K WordPress Sites: https://www.wordfence.com/blog/2026/05/200000-wordpress-sites-at-risk-from-critical-authentication-bypass-vulnerability-in-burst-statistics-plugin/Microsoft Exchange OWA Zero-Day Under Active Exploitation: https://techcommunity.microsoft.com/blog/exchange/addressing-exchange-server-may-2026-vulnerability-cve-2026-42897/4518498Critical Cisco Catalyst SD-WAN Controller Auth Bypass Under Attack: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SWChromaDB Pre-Auth RCE Allows AI Vector Database Server Takeover: https://www.hiddenlayer.com/research/chromatoast-served-pre-authShai-Hulud Worm Source Code Released on GitHub: https://www.ox.security/blog/shai-hulud-open-source-malware-github/node-ipc npm Package Compromised via Expired Maintainer Domain: https://www.bleepingcomputer.com/news/security/popular-node-ipc-npm-package-compromised-to-steal-credentials/Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    12 min
  6. Google Identifies First AI-Developed Zero-Day | Gravity SMTP Mass Exploitation Leaks API Keys | Palo Alto Firewall Flaw Exploited by State Actors | TanStack Release Pipeline Hijacked | Wordfence Security News | Week of May 11, 2026

    16 maj

    Google Identifies First AI-Developed Zero-Day | Gravity SMTP Mass Exploitation Leaks API Keys | Palo Alto Firewall Flaw Exploited by State Actors | TanStack Release Pipeline Hijacked | Wordfence Security News | Week of May 11, 2026

    This week in Wordfence Security News (Week of May 11, 2026): Active mass exploitation of an information disclosure vulnerability in Gravity SMTP exposes API keys and mail service credentials, with the Wordfence firewall blocking nearly 788,000 exploit attempts across more than 77,000 unique WordPress sitesA critical authentication bypass in cPanel and WHM is now under active exploitation, allowing unauthenticated attackers to gain administrative access and potentially compromising every WordPress site on a shared hostSuspected state-sponsored attackers exploit a Palo Alto PAN-OS zero-day buffer overflow in the User ID Authentication Portal, achieving root code execution on PA series and VM series firewalls and pivoting via high-availability failoverThe Shai-Hulud supply chain worm returns as attackers hijack TanStack's GitHub Actions release pipeline, publishing over 170 malicious packages across NPM and PyPI with valid signatures and provenance attestationsGoogle's Threat Intelligence group identifies the first zero-day exploit believed to have been developed with AI assistance, targeting a two-factor authentication bypass in an unnamed open source web administration toolA Linux kernel privilege escalation vulnerability called Dirty Frag becomes public after its coordinated disclosure embargo collapses, with Microsoft Defender reporting limited in-the-wild exploitation for root escalation after SSH accessTimestamps: 0:00 Introduction0:33 Gravity SMTP Information Disclosure Exploitation3:19 cPanel and WHM Authentication Bypass4:22 Palo Alto PAN-OS Zero-Day5:56 Shai-Hulud Supply Chain Worm Hits TanStack7:09 Google Identifies First AI-Assisted Zero-Day8:24 Dirty Frag Linux Kernel Privilege Escalation Story Links: Gravity SMTP Exploited at Scale: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gravitysmtp/gravity-smtp-214-unauthenticated-sensitive-information-exposure-via-rest-apiPAN-OS zero-day: https://security.paloaltonetworks.com/CVE-2026-0300Mini Shai-Hulud worm: https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromisedGoogle GTIG AI zero-day: https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-accessDirtyFrag Linux LPE: https://github.com/V4bel/dirtyfragStay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    10 min
  7. Breeze Cache Mass Exploitation in 24 Hours | Bitwarden CLI Supply Chain Attack | ADT Confirmed in ShinyHunters Breach | Pack2TheRoot 12-Year-Old PackageKit Privilege Escalation (CVE-2026-41651) | Wordfence Security News | Week of April 27, 2026

    4 maj

    Breeze Cache Mass Exploitation in 24 Hours | Bitwarden CLI Supply Chain Attack | ADT Confirmed in ShinyHunters Breach | Pack2TheRoot 12-Year-Old PackageKit Privilege Escalation (CVE-2026-41651) | Wordfence Security News | Week of April 27, 2026

    This week in Wordfence Security News (Week of Apr 27, 2026): A critical unauthenticated arbitrary file upload vulnerability in BreezeCache, a caching plugin with over 400,000 active installations, went from disclosure to mass exploitation in under 24 hours with over 22,000 exploit attempts blocked across nearly 5,000 sitesAttackers published a malicious version of the Bitwarden CLI package on NPM that harvested credentials from six different sources including SSH keys, cloud secret stores, and AI assistant configs during a 93-minute window before removalThe Bitwarden supply chain attack connects to a broader campaign targeting Checkmarx, with Team PCP claiming responsibility and links to the Shai-Hulud self-propagating NPM worm from 2025Home security giant ADT confirmed a data breach after ShinyHunters listed the company on its leak site, with Have I Been Pwned tracking 5.5 million unique email addresses tied to the breachShinyHunters used a voice phishing attack to compromise an ADT employee's Okta SSO account and pivot to Salesforce, highlighting why phishing-resistant MFA like FIDO2 or WebAuthn is critical over SMS or TOTPA 12-year-old privilege escalation vulnerability dubbed Pack2TheRoot in PackageKit lets any local unprivileged user install arbitrary packages as root, affecting Ubuntu, Debian, Fedora, and Rocky Linux since 2014Timestamps: 0:00 Introduction0:34 BreezeCache Critical File Upload Vulnerability and Mass Exploitation3:50 Bitwarden CLI Supply Chain Attack via NPM6:25 ADT Data Breach by ShinyHunters7:49 Why Phishing-Resistant MFA Matters8:54 PackageKit Privilege Escalation Vulnerability Story Links: Breeze Cache — Active Exploitation (CVE-2026-3844): https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0Bitwarden CLI Compromised in Checkmarx Supply Chain Attack: https://thehackernews.com/2026/04/bitwarden-cli-compromised-in-ongoing.htmlSharePoint Patching Laggards — CVE-2026-32201: https://www.bleepingcomputer.com/news/security/over-1-300-microsoft-sharepoint-servers-vulnerable-to-ongoing-attacks/ADT Confirmed in ShinyHunters Breach: https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/Pack2TheRoot — 12-Year-Old PackageKit Privilege Escalation (CVE-2026-41651): https://github.security.telekom.com/2026/04/pack2theroot-linux-local-privilege-escalation.htmlStay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

    10 min

Om

Wordfence Security News is a weekly cybersecurity news podcast covering the top news stories from the world of WordPress security and the broader cybersecurity threat landscape. Hosted by cybersecurity expert and Wordfence researcher Alex Thomas.