Morocco’s cybersecurity authority has warned that several widely used WordPress plugins have serious security problems that could let hackers take control of websites.
In a bulletin (reference 62021303/26), the Direction Générale de la Sécurité des Systèmes d’Information (DGSSI), part of the national defence administration, said the flaws are “important” and could let attackers gain full control of affected systems if they are not updated quickly. The warning covers websites including online shops and news sites.
The vulnerabilities affect popular WordPress plugins:
- WooCommerce – used for online stores
- Ally WordPress plugin – improves website accessibility
- wpDiscuz – manages comments on websites
According to maCERT, Morocco’s cyber threat monitoring centre, hackers could use these flaws to run harmful commands on servers remotely, a method called Remote Code Execution (RCE). This can let attackers take over a website without needing to log in.
Some flaws, including CVE-2026-3891, could also let hackers get admin access or add and delete files on the server.
If these flaws are exploited, attackers could access databases, steal or change sensitive information, including customer data.
The affected plugin versions are:
- WooCommerce – older than 1.6.0
- Ally – older than 4.1.0
- wpDiscuz – older than 7.6.47
These versions can be attacked using methods like:
- SQL injection – tricks a website into giving up information from its database
- Arbitrary file upload – lets hackers upload harmful files to the server without permission
Hackers can sometimes upload hidden “backdoor” files that let them return later to control the site.
WordPress runs more than 40% of websites worldwide, making it a prime target. Plugins add extra features but can also create security holes. When a vulnerability is found, developers release updates while hackers try to exploit sites that haven’t updated yet.
DGSSI oversees national cybersecurity, protecting government data and key digital systems. maCERT monitors cyber threats, identifies risky software, and issues alerts that IT teams across Morocco rely on.
The DGSSI urges companies and public institutions to update their plugins immediately. It also recommends:
- Regularly updating software
- Monitoring server activity
- Protecting databases
- Using web firewalls
- Limiting system access rights
- Using tools to watch for suspicious files
