The WordPress content material administration system (CMS) has been popping up steadily on cybersecurity information websites currently. Most of this protection was pushed by vulnerabilities in plugins and themes. Nevertheless, our colleagues have additionally noticed a case the place attackers used poorly secured WordPress websites to distribute trojans. This in itself isn’t stunning — WordPress stays probably the most standard CMS platforms within the enterprise. However the sheer variety of found plugin vulnerabilities and associated incidents exhibits that attackers are watching the WordPress ecosystem simply as carefully as its defenders.
WordPress incidents
Simply this summer season, a number of severe WordPress-related safety incidents have come to mild.
Gravity Varieties plugin: web site compromise and code an infection
In early July, attackers gained entry to a web site working Gravity Varieties — a preferred form-building plugin — and injected malicious code into variations 2.9.11.1 and a couple of.9.12. Websites the place these plugin variations had been put in manually by directors, or through the PHP dependency supervisor, Composer, had been contaminated between July 9 and 10.
The malware blocked additional updates, downloaded and put in further malicious code, and created new administrator accounts. This gave the attackers full management of the positioning, which they then used for malicious functions.
The Gravity Varieties crew urges all customers to examine in the event that they’re working a probably susceptible model. Directions on how to do that can be found within the incident discover on the official plugin web site. The discover additionally explains learn how to take away the malware. And naturally, the plugin ought to be up to date to model 2.9.13.
Alone theme: lively exploitation of CVE-2025-5394
Additionally in July, researchers reported that attackers had been actively exploiting a crucial vulnerability within the unauthenticated file add validation course of (CVE-2025-5394) affecting all variations of the Alone theme for WordPress — as much as and together with 7.8.3. The flaw permits distant code execution (RCE), giving attackers full management over affected websites.
Notably, assaults started a number of days earlier than the vulnerability was formally disclosed. In accordance with Wordfence, already by June 12 over 120 000 makes an attempt to take advantage of CVE-2025-5394 had been made. Risk actors used the flaw to add ZIP archives containing webshells, set up password-protected PHP backdoors for distant HTTP entry, and create hidden administrator accounts. In some circumstances, they even put in full-featured file managers on the compromised WordPress web site, giving them full management over the positioning’s database.
The builders of the Alone theme have since launched model 7.8.5, which patches the vulnerability. All customers are strongly suggested to replace to this model instantly. Further steering on learn how to shield towards this bug will be discovered within the Wordfence report.
Motors theme: exploitation of CVE-2025-4322
In June, attackers additionally focused WordPress websites utilizing one other premium theme known as Motors. On this case, attackers exploited CVE-2025-4322 — a weak point within the person validation course of affecting all variations as much as 5.6.67. Exploiting it allowed attackers to hijack administrator accounts.
The theme creators, StylemixThemes, launched a patched model (5.6.68) on Might 14, 2025. That was adopted by a Wordfence assertion 5 days later urging customers to replace immediately. Nevertheless, not all customers up to date in time — assaults started the very subsequent day, Might 20, and by June 7 Wordfence had recorded 23 100 exploitation makes an attempt.
Profitable exploitation of CVE-2025-4322 grants attackers administrator rights, enabling them to create new accounts and reset passwords.
Efimer malware: unfold by compromised WordPress websites
And at last, a case during which cybercriminals haven’t exploited vulnerabilities in plugins and themes, however that nonetheless demonstrates the curiosity of attackers in WordPress-based websites. In early August, our colleagues investigated an assault involving the Efimer malware — designed primarily to steal cryptocurrency. Attackers unfold it through e-mail and malicious torrents, however some infections additionally originated from compromised WordPress websites.
Cautious evaluation revealed that Efimer additionally included a WordPress password cracker. Primarily, every time the malware ran, it launched a brute-force assault on the WordPress admin panel utilizing a set of normal passwords hard-coded within the script. Any efficiently cracked passwords had been despatched again to the attackers’ command server.
Doubtlessly harmful vulnerabilities
Past the above incidents, a number of different vulnerabilities have been reported — although they’ve not but been noticed in real-world assaults. Nevertheless, because the Motors case demonstrates, attackers might begin exploiting them actual quickly, so they need to be monitored carefully.
GiveWP: a vulnerability in WordPress donation plugin
In late July, the crew behind the open-source Pi-hole undertaking found a vulnerability within the GiveWP plugin, which they had been utilizing on their very own WordPress web site. This plugin permits web sites to just accept on-line donations, handle fundraising campaigns, and extra.
The builders discovered that the plugin inadvertently uncovered donor information by displaying it within the web page supply, making names and e-mail addresses accessible with out authentication.
GiveWP’s builders launched a patch simply hours after the difficulty was reported on GitHub. Nevertheless, because the information had already been uncovered, the Have I Been Pwned service added the incident to its leak database, estimating that just about 30 000 individuals’s information had been compromised.
Directors of web sites utilizing GiveWP are suggested to replace the plugin to model 4.6.1 or later.
Submit SMTP: vulnerability CVE-2025-24000 permits administrator account takeover
The CVE-2025-24000 vulnerability — rated 8.8 on the CVSS scale — was lately found within the Submit SMTP plugin. This extension offers extra dependable and user-friendly supply of outgoing emails from a WordPress web site than the built-in wp_mail perform.
CVE-2025-24000, which impacts all Submit SMTP variations as much as and together with 3.2.0, stems from a damaged entry management mechanism within the plugin’s REST API. The problem is that this API checks solely whether or not a person is authenticated — not their entry degree. In consequence, even a low-privileged person can view logs containing despatched emails together with their full contents.
This makes it potential to hijack an administrator account. An attacker solely must provoke a password reset for the admin account, then examine the e-mail logs to retrieve the reset message and observe the hyperlink inside, thereby gaining administrator entry.
The developer launched a patched model — Submit SMTP 3.3.0 — on June 11. Nevertheless, obtain statistics on WordPress.org on the time of writing present that solely about half of the plugin’s customers (51.2%) have up to date to the fastened model. That leaves greater than 200 000 websites nonetheless uncovered. Furthermore, almost 1 / 4 of all websites (23.4%, or round 100 000) are nonetheless working the outdated 2.x department, which accommodates this and different unpatched vulnerabilities.
To make issues worse, proof-of-concept (PoC) exploit code for CVE-2025-24000 has already been revealed on-line, although we haven’t verified its performance.
Learn how to shield your WordPress web site
Plugins and themes make WordPress extremely versatile and user-friendly, however additionally they considerably develop the assault floor. Whereas avoiding them fully isn’t lifelike, you possibly can make sure the safety of your web site by following these greatest practices:
- Reduce the variety of plugins and themes. Set up solely these which can be actually essential. The less you employ, the decrease the danger that one in every of them will comprise a vulnerability.
- Completely take a look at plugins in an remoted atmosphere and analyze their code for backdoors earlier than putting in.
- Give choice to extensively used plugins. Though not proof against flaws, points in such tasks are sometimes found and patched faster.
- Keep away from deserted parts — vulnerabilities in them might stay without end.
- Monitor for anomalies. Frequently evaluation the checklist of administrator accounts for unknown customers, and monitor present accounts for sudden password failures.
- Strengthen password insurance policies. Require customers to set sturdy passwords, and make two-factor authentication obligatory.
- Reply correctly to incidents. In case you suspect your web site has been hacked, react to the incident instantly and restore the positioning’s safety. In case you lack the experience, contact exterior specialists — swift motion can tremendously scale back the assault’s affect.
