The IT Nerd

Last night I posted a story about a problem posting stories which wasn’t just affecting me, but some other people as well. While I had a workaround, it wasn’t optimal. That changed this morning when I got an email from a WordPress “happiness engineer” who I assume is their term for a tech support person. This is the email that I got:

Hi there!
 
We’ve recently received a tweet via X (Twitter) referring to an issue with posting on your site – itnerd.blog. Thank you for reaching out. I wanted to follow up here to make sure that’s addressed correctly 🙂
 
There seems to be a conflict with the new editor version and the AMP plugin. You can deactivate it from Plugins → Installed Plugins.
Our belief is the AMP plugin is no longer needed in most use cases, and you can keep it deactivated. But if you have a specific reason to re-enable please let me know and I can look into other solutions for you.
 
If you have any additional questions, don’t hesitate to let me know, I’d be happy to help!

So, the TL:DR is what this “happiness engineer” suggested worked. But let’s go into the weeds. AMP stands for Accelerated Mobile Pages. Google came up with this a few years ago to make pages load faster on mobile devices.

AMP has two basic components:

1. A way of writing small web-pages
2. A way of caching/loading those small web-pages to make them quicker to load.

But it’s fallen out of favor because In order to use AMP, you also need to agree to allow anyone to “cache” the AMP versions of you web-pages. This means that they can take a copy of the page and direct people to that copy, rather than the original version on your web-site. Which is a #fail if you are trying increase traffic to your website. And some big social media sites don’t like AMP at all. Reddit for example gives you a warning if you use an AMP link in a Reddit post.

So the suggestion from WordPress that AMP isn’t needed anymore has some degree of validity. Which is why I disabled it on my site. But the thing is that WordPress clearly broke something when they updated the post editor. Hopefully they don’t press the “easy button” and make this default solution for this issue because there’s clearly a bug that they need to fix. Plus it was working up until 1PM EST yesterday which supports the fact that they broke something. So here’s hoping that they do the right thing that will help users and themselves in the long term.

Now I host this blog via WordPresss.com because my logic is that they take care of all the security and updates so that I don’t have to. That is supposed to make my life easer. But since about 1PM EST today, I have been unable to post anything via their web interface. When I try to post something, I get this error:

That error is not exactly helpful. But this is a WordPress.com issue as this happens on multiple devices in multiple browsers.

So you’re likely wondering how I am getting this story online tonight. Well my workaround is to use the WordPress app on my iPhone. And then use iPhone Mirroring so that I can at least use a real keyboard and mouse. I thought it was a party trick by Apple when it first came out, but now it has proven to me a lifeline as it is allowing me to at least meet my “right now” commitments to get stories online. But this doesn’t change the fact that WordPress.com needs to address this and ASAP.

I posted on Twitter about this and got two responses from people who are affected by this issue. Thus I know that I am not alone. So I am going to call out WordPress.com directly. This has been going on since 1PM EST today. When are you going to foxy this? And since a lot of us pay for your services because we use WordPress to run businesses and the like, what are you going to make us whole on that front?

I don’t expect them to answer. I expect them to fix whatever is going on and pretend that id never happened. But I am free to be surprised.

Threat actors are actively exploiting a critical authentication bypass vulnerability (CVE-2025-5947, CVSS 9.8) in the Service Finder WordPress theme and its bundled Service Finder Bookings plugin. The flaw allows unauthenticated attackers to gain access to any account, including administrators, by exploiting improper cookie validation in the account-switching function. Attackers can hijack sites to inject malicious code, redirect users, or host malware. The issue affects all versions up to 6.0 and was patched in version 6.1 on July 17, 2025. Exploitation has been observed since August 1, with over 13,800 attempts detected to date.

Gunter Ollmann, CTO, Cobalt:

     “The pure deja vu of another critical WordPress vulnerability cannot be ignored. Threat actors are increasingly automating the exploitation of common CMS plugins to gain persistent access to web infrastructure. Once inside, adversaries can pivot to distributing malware, stealing credentials, or using compromised sites in larger botnets. The WordPress ecosystem’s accessibility makes it a prime target, and with so many vulnerabilities like this over the years for WordPress, security teams should treat the service as untrusted and strengthen systems around it to protect critical data and connected systems.”

I’m a WordPress user so any report of a vulnerability in this platform concerns me. If you’re running a self hosted instance of WordPress, you might want to make sure that you’re fully up to date as soon as you can.

A sophisticated malware campaign targeting WordPress administrators has been discovered, utilizing a deceptive caching plugin to steal login credentials and compromise website security. 

Commenting on this is Martin Jartelius, CISO at Outpost24:

“Installing an unknown plugin is always a risk. Markers such as the ones mentioned are also not great to use—a somewhat more engaged attacker would simply fork an open-source project, backdoor that, and include the expected information. The description associated with this “attack” shows both a lack of creativity and enthusiasm with the attacker. The reason we mention this is not to encourage the attackers to try harder, it’s to ensure that administrators are aware that malicious plugins are a real threat, and that they should never expect them to show up with this low level of ambition. Hackers are generally better than this. Think twice, install once.”

I am a WordPress user and I try to stick to known plugins to avoid this scenario. But because it pays to be paranoid, I will be giving my WordPress instance a second look to make sure that I don’t have anything “evil” lurking that I should be concerned about.

WordPress vulnerabilities have been in the news lately. Today I am discussing the Balada Injector campaign that has been attacking WordPress’s Elementor Pro plugin for the past six years. Here’s the details from Securi:

The vulnerability allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.

Since WooCommerce websites allow registration for customer accounts, any website with user registration enabled with the Elementor Pro plugin and WooCommerce installed is liable to be exploited if using the vulnerable version.

The plugin uses the update_option function which is used by WordPress to change database values for website settings, such as allowing shop admins to change some options within their site database. However, this recent vulnerability results from user input not being validated properly and the function does not check whether only high-privileged users are using it.

When both the Elementor Pro and WooCommerce plugins are active (a rather common combination within WordPress websites) this can lead to arbitrary wp_options changes such as:

• siteurl value
• default user role
• user registration

We have also observed multiple users reporting that their administrator user name was changed to ad@example.com after this vulnerability was exploited on their website, as well as new administrator users added using the pattern wpnew_*** within the database.

Now you might have noticed the word “WooCommerce” in the above statement. That’s because you might have heard about another WordPress vulnerability that leverages WooCommerce.

David Maynor, Senior Director of Threat Intelligence, Cybrary has a very detailed comment on this:

   “The most frustrating discussion a security person can have is the talk with sales/marketing where the need for WordPress is brought up. I am a long tome security researcher and I have the opinion that WordPress cannot be made secure.

   “WordPress dates back to 2003 with the goal of replacing the need for developers to make changes to a website.  Things like website themes, plugins that will do almost anything, adapting content to a number of browsers and platforms like mobile devices. WordPress has been institutionalized by pretty much everyone to be the de facto CMS.

   “Because of this overwhelming adoption for critical needs like customer facing web pages an entire developer ecosystem sprouted up around developing themes, tools, and plugins to make WordPress even easier to use. This is the equivalent of building a bad roof on a shaky foundation for a house in an earthquake zone. 

   “If you haven’t worked with sales and marketing departments before you might not be aware of the absolute dominance WordPress has in its market. There are entire tools and marketing platforms based on analyzing and optimizing WordPress content for data collection, targeted advertising, and customer insights.

   “Targeting a market for non-technical people to minimize technical needs leads WordPress users to often know nothing about a system other than the WordPress interface. WordPress is a popular bundled application for site hosting platforms to bundle in with a hosting subscription. The mixture of lack of technical knowledge or not being aware you may have WordPress on your hosted platform combines with PHP development and outdated security practices to make WordPress a perfect target for threat actors to steal data or use a compromised site to trick unsuspecting users into malicious interactions that look legitimate.

   “I say all this to address the questions of why WordPress is a rich target and why it keeps being the target if malicious campaigns. It is low hanging fruit that is trivial to pop. It’s so popular as a target it is often the target newbie hackers start with.

   “So now to Balada. Why is it so large? A mixture of low hanging fruit and exploitable targets that can often be found with Google dorking, and attackers using compromised hosts as currency leads to a long dwell time for attackers on a victim. 

   “This campaign is so large and lengthy due to the attackers taking advantage of many uses of WordPress like targeting specific platforms with specific code or easily hiding backdoors in pirated plugins. This group is the multi-headed hydra of attacks by varying exploits and post compromise activities.

   “In addition to tooling and techniques the rise of encryption everywhere blinds many network based detection tools with the same technology TLS used to make sure a hacker at a coffee shop isn’t sniffing a unsuspecting Wi-Fi users website credentials.

WordPress is a de facto content management solution with an entire ecosystem of developers writing themes, plugins and tools. Often this 3rd party software is the source of compromise.

   “This campaign is large because the attackers have multiple attacks and post compromise tooling that allows them to stay a few steps ahead of WordPress admins.

   “Website owners often go to WordPress because it allows quick and easy content development without the need for a team of coders. These are the users least likely to notice they have been comprised.

   “I don’t think WordPress and its ecosystem can be secured. Popular WordPress security apps often don’t try to stop intrusions but rather focus on cleaning out an attacker by rolling to a previously known good version. If the security experts don’t think they can stop attackers why would anyone else?”

This scares me as I use WordPress for this blog. I’ve spent a lot of time going through the configuration of this blog to assure that it is as secure as possible. Hopefully WordPress can step up and improve security with its product as that combined with individual WordPress users doing all they can to improve security on their end may be the only hope of mitigating these attacks.