Important Vulnerability on Advanced Custom Fields Plugin for WordPress

We analyzed an injected copy of Elementor Pro and found three hidden mechanisms that silently hand control of a site's content pipeline to a third-party server. The plugin looks and functions like the original. Only a small code block at the top changes what happens behind the scenes.

Imunify360 now includes WordPress WAF, a new security component that automatically blocks exploits targeting known vulnerabilities in WordPress plugins and themes.

Vulnerable websites are protected through virtual patching. When an attacker tries to exploit a vulnerability in a plugin or theme your customer hasn't updated, WordPress WAF blocks the malicious request before it reaches the vulnerable code. The site stays protected without requiring an update.

WordPress WAF is free for all Imunify360 customers. It's delivered through the Imunify Security WordPress plugin, activates automatically, and requires no extra configuration.

We’re excited to share a milestone we’re genuinely proud of: The Imunify Security WordPress Plugin has now surpassed 500,000 active installations.

Imunify products now fully support Debian 13, expanding protection to the latest generation of Debian-based servers. This update applies to the entire Imunify suite: ImunifyAV, ImunifyAV+, and Imunify360 - and is available across Plesk, DirectAdmin, Webuzo, and stand-alone installations. Users running Debian 13 can now deploy Imunify products with the same reliability and security they expect on other supported distributions.

CloudLinux is introducing updates to the pricing model for ImunifyAV+. These changes align ImunifyAV+ with the tiered structure already used by Imunify360 and support continued investment in malware detection, protection technologies, and product development.

We are issuing this security advisory regarding a vulnerability discovered in the AI-Bolit component of Imunify products. A patch for this vulnerability was released on October 23, 2025, and has already been automatically deployed to the vast majority of servers.

We are pleased to announce the launch of the CloudLinux Network (CLN) API v2. This is a significant step forward in our mission to provide powerful, modern tools that help you automate license and server management, streamline your workflows, and integrate Imunify products directly into your environment.

WordPress now powers more than half of the web, making it the world’s most popular CMS by a country mile. That dominance has fueled the growth of WordPress-managed hosting, as it’s built to handle performance, updates, and backups. It means businesses don’t have to have so much technical talent to manage their sites.

Here at Imunify, we're always monitoring web data at scale - and we've noticed a clear trend: legitimate AI bots, like those from Meta, Apple, OpenAI, and other reputable organizations, are increasingly behaving aggressively, excessively consuming server resources, and often ignoring instructions in files like robot.txt.

These sorts of issues caused by AI-powered bots can severely impact both website performance and resource efficiency.

To assist hosting providers and website owners in effectively managing these aggressive bots, we’ve created specialized ModSecurity rule sets designed to precisely and effectively block significant AI bot traffic for some of the most popular AI modules.

As many of you know, ConfigServer officially ceased all operations on August 31 2025, marking the end-of-life for its entire suite of products, including the widely-used ConfigServer Security & Firewall (CSF) service. So, what should you do next?