This week in Wordfence Security News (Week of Apr 13, 2026):

• Over 30 WordPress plugins purchased on the Flippa marketplace were turned into backdoors that sat dormant for eight months before activating to inject SEO spam into wp-config.php, visible only to Googlebot
• Smart Slider 3 Pro's update infrastructure was compromised, pushing a weaponized build through the official update channel for approximately six hours before being caught
• Microsoft's second-largest Patch Tuesday ever fixes roughly 165 vulnerabilities including a SharePoint spoofing zero-day already under active exploitation and a Defender privilege escalation zero-day linked to the BlueHammer public exploit
• Adobe released an emergency patch for an Acrobat Reader zero-day exploited in the wild since late 2025, discovered via malicious Russian-language PDFs about gas supply disruptions
• ShinyHunters extortion group listed Rockstar Games on its leak site after stealing authentication tokens from cloud analytics platform Anadot and accessing Rockstar's connected Snowflake data warehouse
• A critical pre-authentication remote code execution flaw in Marimo, an open-source Python notebook platform, was exploited within 10 hours of its advisory being published with no public proof of concept

Timestamps:

0:00 Introduction
0:26 Supply Chain Attack on 30+ Essential Plugin WordPress Plugins
2:08 Smart Slider 3 Pro Update Infrastructure Compromised
2:55 Kali Forms and Ninja Forms File Upload Exploitation Updates
3:21 Microsoft Patch Tuesday with SharePoint and Defender Zero-Days
5:31 Adobe Acrobat Reader Zero-Day Emergency Patch
6:26 ShinyHunters Breach of Rockstar Games via Anadot Tokens
7:16 Marimo RCE Exploited Within 10 Hours of Disclosure

Story Links:

• 30+ Plugins Backdoored After Flippa Acquisition: https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/
• Smart Slider 3 Pro — Supply Chain Compromise: https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise
• Kali Forms exploitation update: https://www.wordfence.com/blog/2026/04/attackers-actively-exploiting-critical-vulnerability-in-kali-forms-plugin/
• Ninja Forms File Upload exploitation update: https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
• April Patch Tuesday — SharePoint Zero-Day Exploited: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
• BlueHammer — Defender Zero-Day: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2026-patch-tuesday-fixes-167-flaws-2-zero-days/
• Adobe Reader Zero-Day — Exploited Since Late 2025: https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
• Rockstar Games Breach via Third-Party Analytics: https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/
• Marimo RCE — Exploited in Under 10 Hours: https://www.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours

Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

This week in Wordfence Security News (Week of Apr 6, 2026):

• An arbitrary file upload vulnerability in Ninja Forms File Upload puts 50,000+ WordPress sites at risk
• A Fortinet zero-day actively exploited in the wild
• A CERT-EU report reveals a European Commission cloud breach tied to a Trivy supply chain attack — with Cisco source code stolen in the fallout
• Anthropic announces Project Glasswing
• Germany doxes "UNKN," the head of the REvil and GandCrab ransomware gangs

Story Links:

• Ninja Forms File Upload Vulnerability: https://www.wordfence.com/blog/2026/04/50000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-ninja-forms-file-upload-wordpress-plugin/
• Fortinet Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-099
• CERT-EU Report: https://cert.europa.eu/blog/european-commission-cloud-breach-trivy-supply-chain
• Cisco / Trivy Fallout: https://www.bleepingcomputer.com/news/security/cisco-source-code-stolen-in-trivy-linked-dev-environment-breach/
• Anthropic Glasswing Announcement: https://www.anthropic.com/
• Krebs on Security (REvil): https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/

Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.

This week in Wordfence Security News (Week of Mar 30, 2026): 

• Over 200,000 WordPress sites at risk from an unauthenticated arbitrary file move vulnerability in the MW WP Form plugin, allowing full site takeover
• Massive spike in exploitation attempts targeting the Kali Forms RCE vulnerability, with activity increasing over 60x week-over-week
• A major supply chain attack compromises the widely used Axios JavaScript library, distributing backdoored versions to developers worldwide Active exploitation of a critical Citrix NetScaler vulnerability enabling session hijacking and potential full appliance compromise
• European Commission confirms a cloud breach with data theft claims by ShinyHunters
• Cisco internal development environment breached via poisoned Trivy supply chain attack, exposing source code and credentials

Timestamps:

0:00 Introduction
0:30 MW WP Form Vulnerability
1:15 Kali Forms Exploitation Surge
1:55 Axios Supply Chain Attack
3:20 Citrix NetScaler Active Exploitation
4:57 European Commission Breach
5:50 Cisco Dev Environment Breach
6:47 Wrap up discussion

Story Links:

• MW WP Form Vulnerability
• Kali Forms Exploitation Update
• Axios Supply Chain Attack (Wiz)
• Citrix NetScaler Advisory
• European Commission Breach (Bloomberg)
• Cisco / Trivy Supply Chain Attack

Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.  

This week in Wordfence Security News (Week of Mar 23, 2026): 

• Same-day exploitation of a critical RCE vulnerability in the Kali Forms plugin, attackers can achieve full admin takeover with a single request
• Ongoing mass exploitation of the s2Member plugin targeting password reset functionality
• Breaking News: Iran-linked hackers claim breach of FBI Director Kash Patel’s personal email
• A critical Cisco firewall management vulnerability exploited as a zero-day by ransomware actors
• FBI and CISA warn of phishing campaigns targeting messaging app accounts

Timestamps:

0:00 Introduction
0:25 Kali Forms RCE Vulnerability
1:34 s2Member Mass Exploitation
2:20 Breaking News – FBI Email Breach
2:45 Cisco Firewall RCE Exploitation
5:03 Messaging App Phishing Campaigns

Story Links:

• Kali Forms RCE Vulnerability: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process
• s2Member Exploitation Campaign: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/s2member/s2member-260127-unauthenticated-privilege-escalation-via-account-takeover
• Cisco Firewall Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
• Interlock Ransomware Coverage: https://www.ic3.gov/PSA/2026/PSA260320
• Reuters – FBI Email Breach: https://www.reuters.com/world/us/iran-linked-hackers-claim-breach-of-fbi-directors-personal-email-doj-official-2026-03-27/

Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.  

This week in Wordfence Security News (Week of Mar 9, 2026): 

• A critical auth bypass in Tutor LMS Pro exposes 30,000+ WordPress sites — attackers can hijack admin accounts via a Google sign-in flaw
• An unauthenticated SQL injection in Ally (400K+ sites)
• Microsoft Patch Tuesday with ~80 fixes including AI-related exploits
• A max-severity Cisco SD-WAN zero-day exploited since 2023
• Iran-linked group Handala's claimed attack on medical device maker Stryker.

Timestamps:

0:00 Introduction
0:22 Tutor LMS Pro Authentication Bypass
1:31 Ally WordPress Plugin SQL Injection
1:50 Microsoft Patch Tuesday
2:46 Cisco SD-WAN Zero-Day
4:26 Handala Attack on Stryker
5:03 Iranian Drone Strikes on AWS Data Centers

Story Links:

• Tutor LMS Pro Auth Bypass: https://www.wordfence.com/blog/2026/03/30000-wordpress-sites-affected-by-authentication-bypass-vulnerability-in-tutor-lms-pro-wordpress-plugin/
• Ally Plugin SQL Injection: https://www.wordfence.com/blog/2026/03/400000-wordpress-sites-affected-by-unauthenticated-sql-injection-vulnerability-in-ally-wordpress-plugin/
• Microsoft Patch Tuesday: https://msrc.microsoft.com/update-guide/
• Cisco SD-WAN Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
• Iran Cyber Retaliation: https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/
• Stryker Cyberattack (WSJ): https://www.wsj.com/articles/stryker-hit-with-suspected-iran-linked-cyberattack-52f6615c
• AWS Data Centers Struck (BBC): https://www.bbc.com/news/articles/cgk28nj0lrjo
• Weekly Vulnerability Report: https://www.wordfence.com/blog/2026/03/wordfence-intelligence-weekly-wordpress-vulnerability-report-march-2-2026-to-march-8-2026/

Stay informed and secure: get the latest WordPress security news on the Wordfence blog or subscribe to the WordPress Security Newsletter.