WordPress has introduced Telex, an experimental AI tool designed to help users create website content blocks more easily, reflecting the company's commitment to democratizing publishing through open-source AI innovations. Despite being in early stages and still facing some issues, Telex showcases WordPress's exploration into AI to enhance website building, alongside other AI tools and experiments. CEO Matt Mullenweg emphasized AI's potential to empower users and advance WordPress's mission, while also acknowledging ongoing legal disputes with WP Engine.
Automattic has put its plan to migrate Tumblr's backend to WordPress on hold to focus on user-visible features, delaying the integration with the fediverse and the potential for Tumblr posts to be shared across platforms, though the idea remains under consideration for the future.
A critical vulnerability in the WordPress Hunk Companion plugin, tracked as CVE-2024-11972, is being exploited by attackers to install other vulnerable plugins, leading to potential Remote Code Execution (RCE) and other attacks. The flaw affects all versions before 1.9.0 and allows unauthorized plugin installations, posing significant security risks. This vulnerability is a patch bypass for a similar flaw, CVE-2024-9707, and highlights the importance of securing WordPress components. Additionally, a high-severity flaw in the WPForms plugin has been disclosed, affecting millions of sites.
A critical SQL injection vulnerability (CVE-2024-2879) in the LayerSlider WordPress plugin, affecting versions 7.9.11 through 7.10.0, puts over one million sites at risk of data breaches and complete takeover. The flaw, discovered by researcher AmrAwad and reported to Wordfence, allows attackers to extract sensitive data from the site's database. The plugin's creator, Kreatura Team, released a security update (version 7.10.1) within 48 hours of notification, urging all users to upgrade immediately. WordPress site admins are advised to prioritize applying security updates, disable unnecessary plugins, use strong passwords, and deactivate dormant accounts to enhance site security.
A critical security flaw (CVE-2024-2879) in the LayerSlider plugin for WordPress could lead to the extraction of sensitive information from databases. The flaw, impacting versions 7.9.11 through 7.10.0, has been addressed in version 7.10.1. Additionally, other WordPress plugins such as WP-Members Membership, Tutor LMS, and Contact Form Entries have also been found to have security vulnerabilities that could be exploited for various malicious activities.
A malware campaign has exploited a security flaw in the Popup Builder plugin for WordPress, infecting over 3,900 sites by injecting malicious JavaScript code. The attacks, orchestrated from new domains, exploit a vulnerability to create rogue admin users and install arbitrary plugins. WordPress site owners are advised to update their plugins, scan for suspicious code or users, and perform cleanup. Additionally, a high-severity bug in the Ultimate Member plugin has been disclosed, allowing unauthenticated attackers to inject malicious web scripts, emphasizing the importance of keeping website software patched and up-to-date.
Over 3,300 WordPress websites using outdated versions of the Popup Builder plugin have been compromised due to a cross-site scripting bug, allowing attackers to inject malicious code into the WordPress admin interface. The injected code led to redirections to malware downloading and phishing websites. Website owners are urged to update to version 4.2.7 of the plugin and block specific domains to prevent further attacks, while compromised websites should remove the malicious code and undergo scanning.
Hackers are exploiting a vulnerability in outdated versions of the Popup Builder plugin for WordPress, infecting over 3,300 websites with malicious code. The attacks involve injecting code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface, with the primary purpose of redirecting visitors to phishing pages and malware-dropping sites. Site admins are advised to upgrade to the latest version of the plugin, block specific domains associated with the attacks, and remove malicious entries to prevent reinfection.
WordPress is a content management system that can be hosted anywhere, while WordPress.com is a site that sells hosted WordPress sites. The recent news about Automattic selling user data to AI modeling companies has raised concerns, but the primary difference between the two is that WordPress.com offers a more controlled experience with limited options and customer support, while self-hosted WordPress has no constraints but requires more technical knowledge. Data privacy concerns primarily apply to WordPress.com sites, but self-hosted sites using services like Jetpack may also be at risk.
Automattic, the parent company of WordPress and Tumblr, is in talks to sell user-generated content to AI companies for training purposes, sparking controversy internally. Some of the scraped content reportedly included private and advertising content not owned by Automattic. The company plans to introduce a new setting to allow users to opt out of having their content used for AI training, but it's unclear if this setting will be toggled on or off by default. Automattic defended the move as an opportunity to give users more control over their content, stating that they are following best practices in the industry and will respect all opt-out settings.
After running a complex backend stack for hosting a weather forecasting site, the author switched to OpenLiteSpeed (OLS) to simplify the setup. However, the transition came with challenges, including configuring OLS through a GUI and adjusting to the OLS LiteSpeed Cache plugin for WordPress. Ultimately, the author decided to abandon OLS and return to using Nginx due to the complexity and potential issues with OLS, despite its touted benefits.
A critical vulnerability in the Backup Migration plugin for WordPress has exposed over 50,000 websites to remote code execution (RCE) attacks. The security flaw, tracked as CVE-2023-6553, allows unauthenticated attackers to take control of targeted websites by injecting malicious PHP code. The vulnerability affects all versions of the plugin up to and including Backup Migration 1.3.6. The developers have released a patch, but nearly 50,000 vulnerable WordPress sites have yet to be secured. WordPress administrators are also being targeted by a phishing campaign using fake security advisories.
WordPress has released version 6.4.2 to address a critical security flaw that could allow threat actors to execute arbitrary PHP code on vulnerable sites. The vulnerability, which is not directly exploitable in core, can be combined with another bug to potentially achieve high severity, especially in multisite installations. The issue is rooted in the WP_HTML_Token class introduced in version 6.4. Users are advised to update their sites and developers are recommended to replace function calls to the unserialize function with alternatives like JSON encoding/decoding.
Researchers have discovered a sophisticated strain of malware that disguises itself as a WordPress caching plugin, allowing it to create administrator accounts and gain remote control over compromised websites. The malware includes various functions such as pinging to check if it is still operational, file modification capabilities, and the ability to activate and deactivate plugins remotely. It can also create rogue admin accounts and alter posts and page content, injecting spam links or buttons. The malware aims to monetize victim sites while compromising SEO rankings and user privacy. The exact scale of the attacks and the initial intrusion vector are currently unknown.
NASA has chosen WordPress as the content management system (CMS) for its revamped flagship website, replacing Drupal. The decision was based on factors such as the accessibility of resources, a plugin ecosystem that offers real-time content analysis, and the ease of use of the content authoring environment. The flexibility of WordPress's block editor was also a key factor, allowing NASA to create custom editor blocks for sharing discoveries and telling stories. The project involved migrating 68,698 pages and creating 3,023 new landing pages. NASA plans to open source some of its custom blocks and other project components to contribute to the WordPress community.
