A critical vulnerability in the LiteSpeed Cache WordPress plugin can let attackers take over millions of websites after creating rogue admin accounts.

Unpatched flaw in Ultimate Member plugin endangers 200,000 WordPress sites, enabling covert creation of admin accounts by hackers.

Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.

https://www.cert.ssi.gouv.fr/avis/CERTFR-2023-AVI-0402/

Summary: Balada Injector has been compromising WordPress sites since 2017, exploiting theme and plugin vulnerabilities.

A recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress is being exploited.