WordPress: vulnerabilities in plugins and themes | Kaspersky official blog

WordPress: vulnerabilities in plugins and themes | Kaspersky official blog

/in

The WordPress content management system (CMS) has been popping up frequently on cybersecurity news sites lately. Most of this coverage was driven by vulnerabilities in plugins and themes. However, our colleagues have also observed a case where attackers used poorly secured WordPress sites to distribute trojans. This in itself isn’t surprising — WordPress remains one of the most popular CMS platforms in the business. But the sheer number of discovered plugin vulnerabilities and related incidents shows that attackers are watching the WordPress ecosystem just as closely as its defenders.

WordPress incidents

Just this summer, several serious WordPress-related security incidents have come to light.

Gravity Forms plugin: site compromise and code infection

In early July, attackers gained access to a site running Gravity Forms — a popular form-building plugin — and injected malicious code into versions 2.9.11.1 and 2.9.12. Sites where these plugin versions were installed manually by administrators, or via the PHP dependency manager, Composer, were infected between July 9 and 10.

The malware blocked further updates, downloaded and installed additional malicious code, and created new administrator accounts. This gave the attackers full control of the site, which they then used for malicious purposes.

The Gravity Forms team urges all users to check if they’re running a potentially vulnerable version. Instructions on how to do this are available in the incident notice on the official plugin website. The notice also explains how to remove the malware. And of course, the plugin should be updated to version 2.9.13.

Alone theme: active exploitation of CVE-2025-5394

Also in July, researchers reported that attackers were actively exploiting a critical vulnerability in the unauthenticated file upload validation process (CVE-2025-5394) affecting all versions of the Alone theme for WordPress — up to and including 7.8.3. The flaw enables remote code execution (RCE), giving attackers full control over affected sites.

Notably, attacks began several days before the vulnerability was officially disclosed. According to Wordfence, already by June 12 over 120 000 attempts to exploit CVE-2025-5394 had been made. Threat actors used the flaw to upload ZIP archives containing webshells, install password-protected PHP backdoors for remote HTTP access, and create hidden administrator accounts. In some cases, they even installed full-featured file managers on the compromised WordPress site, giving them complete control over the site’s database.

The developers of the Alone theme have since released version 7.8.5, which patches the vulnerability. All users are strongly advised to update to this version immediately. Additional guidance on how to protect against this bug can be found in the Wordfence report.

Motors theme: exploitation of CVE-2025-4322

In June, attackers also targeted WordPress sites using another premium theme called Motors. In this case, attackers exploited CVE-2025-4322 — a weakness in the user validation process affecting all versions up to 5.6.67. Exploiting it allowed attackers to hijack administrator accounts.

The theme creators, StylemixThemes, released a patched version (5.6.68) on May 14, 2025. That was followed by a Wordfence statement five days later urging users to update without delay. However, not all users updated in time — attacks began the very next day, May 20, and by June 7 Wordfence had recorded 23 100 exploitation attempts.

Successful exploitation of CVE-2025-4322 grants attackers administrator rights, enabling them to create new accounts and reset passwords.

Efimer malware: spread through compromised WordPress sites

And finally, a case in which cybercriminals have not exploited vulnerabilities in plugins and themes, but that nevertheless demonstrates the interest of attackers in WordPress-based sites. In early August, our colleagues investigated an attack involving the Efimer malware — designed primarily to steal cryptocurrency. Attackers spread it via email and malicious torrents, but some infections also originated from compromised WordPress sites.

Careful analysis revealed that Efimer also included a WordPress password cracker. Essentially, each time the malware ran, it launched a brute-force attack on the WordPress admin panel using a set of standard passwords hard-coded in the script. Any successfully cracked passwords were sent back to the attackers’ command server.

Potentially dangerous vulnerabilities

Beyond the above incidents, several other vulnerabilities have been reported — though they’ve not yet been observed in real-world attacks. However, as the Motors case demonstrates, attackers could start exploiting them real soon, so they should be monitored closely.

GiveWP: a vulnerability in WordPress donation plugin

In late July, the team behind the open-source Pi-hole project discovered a vulnerability in the GiveWP plugin, which they were using on their own WordPress site. This plugin allows websites to accept online donations, manage fundraising campaigns, and more.

The developers found that the plugin inadvertently exposed donor data by displaying it in the page source, making names and email addresses accessible without authentication.

GiveWP’s developers released a patch just hours after the issue was reported on GitHub. However, since the data had already been exposed, the Have I Been Pwned service added the incident to its leak database, estimating that nearly 30 000 people’s data had been compromised.

Administrators of sites using GiveWP are advised to update the plugin to version 4.6.1 or later.

Post SMTP: vulnerability CVE-2025-24000 enables administrator account takeover

The CVE-2025-24000 vulnerability — rated 8.8 on the CVSS scale — was recently discovered in the Post SMTP plugin. This extension provides more reliable and user-friendly delivery of outgoing emails from a WordPress site than the built-in wp_mail function.

CVE-2025-24000, which affects all Post SMTP versions up to and including 3.2.0, stems from a broken access control mechanism in the plugin’s REST API. The issue is that this API checks only whether a user is authenticated — not their access level. As a result, even a low-privileged user can view logs containing sent emails along with their full contents.

This makes it possible to hijack an administrator account. An attacker only needs to initiate a password reset for the admin account, then inspect the email logs to retrieve the reset message and follow the link inside, thereby gaining administrator access.

The developer released a patched version — Post SMTP 3.3.0 — on June 11. However, download statistics on WordPress.org at the time of writing show that only about half of the plugin’s users (51.2%) have updated to the fixed version. That leaves more than 200 000 sites still exposed. Moreover, nearly a quarter of all sites (23.4%, or around 100 000) are still running the outdated 2.x branch, which contains this and other unpatched vulnerabilities.

To make matters worse, proof-of-concept (PoC) exploit code for CVE-2025-24000 has already been published online, though we haven’t verified its functionality.

How to protect your WordPress site

Plugins and themes make WordPress highly flexible and user-friendly, but they also significantly expand the attack surface. While avoiding them entirely isn’t realistic, you can ensure the security of your site by following these best practices:

  • Minimize the number of plugins and themes. Install only those that are truly necessary. The fewer you use, the lower the risk that one of them will contain a vulnerability.
  • Thoroughly test plugins in an isolated environment and analyze their code for backdoors before installing.
  • Give preference to widely used plugins. Although not immune to flaws, issues in such projects are typically discovered and patched quicker.
  • Avoid abandoned components — vulnerabilities in them may remain forever.
  • Monitor for anomalies. Regularly review the list of administrator accounts for unknown users, and monitor existing accounts for sudden password failures.
  • Strengthen password policies. Require users to set strong passwords, and make two-factor authentication mandatory.
  • Respond properly to incidents. If you suspect your site has been hacked, react to the incident immediately and restore the site’s security. If you lack the expertise, contact external specialists — swift action can greatly reduce the attack’s impact.

Kaspersky official blog – ​Read More