Compromised plugins and AI deepfakes rising

A WordPress plugin can act like a spare key to a website, and recent security alerts show how a single weak plugin can expose hundreds of thousands of sites. (wordfence.com) Wordfence said on March 10, 2026 that the Ally plugin had an unauthenticated SQL injection flaw affecting an estimated 400,000 active installations. On March 26, 2026, it reported an arbitrary file read flaw in Smart Slider 3 affecting more than 800,000 active installations. (wordfence.com; wordfence.com) Patchstack’s 2026 WordPress security white paper said hosting and network controls blocked only 26% of vulnerability attacks in its large-scale pentest of popular hosting companies. Its database also shows common plugin flaws can let attackers inject scripts, redirects, ads, or phishing pages into otherwise legitimate sites. (patchstack.com; patchstack.com) Polymorphic malware works like a burglar who changes clothes after every block. CISA says the code can alter its runtime footprint during execution, making signature-based detection less reliable. (cisa.gov) Microsoft said on February 5, 2026 that a new ClickFix variant called CrashFix changed the social-engineering playbook by crashing a victim’s browser, then prompting the user to run malicious commands. The company described it as an evolution in an ongoing campaign rather than a one-off sample. (microsoft.com) Artificial-intelligence deepfakes push the same pressure tactics into text messages and voicemail. The Federal Bureau of Investigation said in 2025 that attackers sent text messages and AI-generated voice messages while impersonating senior U.S. officials. (fbi.gov) Federal agencies have been warning about voice cloning for more than two years. The Federal Trade Commission said in April 2024 that scammers were cloning relatives’ voices to demand money, and CISA, the Federal Bureau of Investigation, and the National Security Agency issued a joint deepfake threat bulletin in September 2023. (consumer.ftc.gov; cisa.gov) The pattern across these alerts is that attackers are borrowing trust instead of breaking down the front door. They hide inside widely used plugins, mutate code to dodge scans, or imitate a boss, official, or family member closely enough to win one click or one callback. (patchstack.com; cisa.gov; fbi.gov) The defensive advice is less exotic than the attacks. CISA’s advisories center on indicators of compromise, mitigation, and response, while WordPress security vendors keep repeating the same steps: patch quickly, scan for tampering, remove vulnerable plugins, and verify unusual requests through a second channel before acting. (cisa.gov; wordfence.com; patchstack.com)