Informed Webmaster

1. core updates
2. which of your plugins are compatible with core updates
3. which of your plugins and themes need updating (Wordpress does not update themes and plugins automatically)
4. what plugins are under attack by hackers
5. if Wordpress in general is under attack by hackers

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

One flaw found in WordPress plugins Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor is actively being exploited.


Security researchers are warning users of two WordPress plugins made by Brainstorm Force that they need to patch a “major” vulnerability that could allow hackers to gain administrative access to any website using the plugins.

The plugins in question are Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor. Both WordPress plugins are designed to help website publishers easily add advanced designs and user functions to websites built using the specific frameworks Beaver Builder and Elementor...

WordPress 5.3.2 is now available!

This maintenance release features 5 fixes and enhancements.

WordPress 5.3.2 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.2 by clicking the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Authentication bypass bugs in WordPress plugins InfiniteWP Client and WP Time Capsule leave hundreds of thousands of sites open to attack.


Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password.

All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerabilities.

...The WordPress plugin in question in Code Snippets, which allows users to run small chunks of PHP code on their websites. This can be used to extend the functionality of the website (essentially used as a mini-plugin). The flaw (CVE-2020-8417) has been patched by the plugin’s developer, Code Snippets Pro.

“This is a high severity security issue that could cause complete site takeover, information disclosure, and more,” said Chloe Chamberland with Wordfence, who discovered the flaw, in an analysis this week. “We highly recommend updating to the latest version (2.14.0) immediately.”...

..A popular WordPress plugin, which helps make websites compliant with the General Data Protection Regulation (GDPR), has issued fixes for a critical flaw. If exploited, the vulnerability could enable attackers to modify content or inject malicious JavaScript code into victim websites.

The plugin, GDPR Cookie Consent, which helps businesses display cookie banners to show that they are compliant with EU’s privacy regulation, has more than 700,000 active installations – making it a ripe target for attackers. The vulnerability, which does not yet have a CVE number, affects GDPR Cookie Consent version 1.8.2 and below...

...Researchers are urging users of a vulnerable WordPress plugin, ThemeGrill Demo Importer, to update as soon as possible after discovering attackers are actively exploiting a flaw in the plugin....

When patched last week, the bug affected at least 1 million websites. Zero-day exploits were going on then.


Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims.

Researchers at Wordfence who discovered the in-the-wild attacks said in a post Thursday that 50,000 of those attacks occurred before Duplicator creator Snap Creek released a fix for the bug last week on Feb. 12 – so it was also exploited in the wild as a zero-day...

The high-severity flaw allows malicious code injection into website pop-up windows.

Two vulnerabilities – including a high-severity flaw – have been patched in a popular WordPress plugin called Popup Builder. The more severe flaw could enable an unauthenticated attacker to infect malicious JavaScript into a popup – potentially opening up more than 100,000 websites to takeover.