A critical security bug and a months-long, ongoing supply-chain attack spell trouble for WordPress users.
The WordPress content management system (CMS) is offering admins more headaches this week, thanks to a pair of disparate but concerning security problems in add-ons for the platform.
The first issue affects the WordPress AdSanity plugin. It’s a critical security vulnerability that could allow remote code execution (RCE) and full site takeovers.
The second problem concerns a classic supply-chain attack, in which cybercriminals compromised 40 themes and 53 plugins belonging to AccessPress Themes in order to inject them with a webshell. Thus, any website that installed one of the compromised add-ons is also open to RCE and full takeover.
AdSanity Plugin Allows RCE
AdSanity is a light ad rotator plugin for WordPress. It allows the user to create and manage ads shown on a website as well as keep statistics on views and clicks, all through a centralized dashboard.
The bug, which carries a concerning 9.9 out of 10 rating on the CVSS vulnerability-severity scale, “could allow a low-privilege user to perform arbitrary file upload, remote code execution and stored cross-site scripting attacks,” according to researchers at the