A critical PHPMailer bug tied to the way websites handle email and feedback forms is leaving millions of websites hosted on popular web-publishing platforms such as WordPress, Drupal and Joomla open to attack.

The insecurity of WordPress plugins has been well documented, especially over the last year, but in the grand scheme of things, it’s not as bad as it seems, experts claim.

A vulnerability has been patched in a popular WordPress theme called Neosense that allows an attacker to upload code without authentication.

WordPress is strongly encouraging users of the content management system to update to the most recent version, 4.6.1, released on Wednesday. WordPress 4.6.1 Security and Maintenance Release https://t.co/NzOLsywTri — WordPress (@WordPress) September 7, 2016 The update addresses two separate security issues, a cross-site scripting vulnerability and a path traversal vulnerability. The XSS vulnerability, discovered by Cengiz...

A WordPress plugin was patched Thursday night, close to a week after reports began to surface of public attacks against a zero-day vulnerability. WP Mobile Detector was pulled from the WordPress Plugin Directory once the attacks went public. It was restored last night and users are urged to update to version 3.7 immediately. The plugin...

WordPress vulnerabilities continue to be a magnet for hackers laden with exploit kits, and as recently as February, crippling ransomware attacks. As a result, WordPress has already released three security updates this year, the latest for the content management system coming last Friday, bringing current users to version 4.5.2. WordPress also in April turned on...

All custom domains hosted on WordPress.com will soon have their sites automatically encrypted for free. WordPress said late Friday afternoon that more than one million sites will have encryption automatically deployed. “We are closing the door to unencrypted web traffic at every opportunity,” wrote Barry Abrahamson, chief systems wrangler at Automattic, WordPress’ parent company. WordPress...

Exploit kits infecting thousands of WordPress websites are setting their sights on the open-source content management system Joomla in a new campaign spotted by a researcher at the SANS Institute’s Internet Storm Center. “The group behind the WordPress ‘admedia’ campaign is now apparently targeting Joomla sites,” said Brad Duncan, security researcher at Rackspace. “We are starting...

Developers at WordPress are encouraging users to upgrade to the latest version, 4.4.2, in order to resolve a handful of bugs and vulnerabilities in the content management system. The update pushed out on Tuesday addresses two main issues. Until yesterday an attacker could have potentially carried out a server-side request forgery (SSRF) attack that could...

Developers at WordPress are encouraging users of the content management system to download and apply the most recent update, pushed yesterday, to address a cross-site scripting (XSS) vulnerability. According to WordPress the bug exists in all versions before 4.4 and if exploited, could allow a hacker to take control of an affected website. An independent security researcher based...