A new report sheds light on the most targeted WordPress plugin vulnerabilities hackers used in the first quarter of 2025 to compromise sites.
All four flaws are vulnerabilities discovered and fixed in 2024 but remain unpatched in many cases, giving hackers the opportunity to execute arbitrary code or exfiltrate sensitive data.
Among the four flaws, which are all critical severity, are two that are reported as actively exploited for the first time.
According to a new Patchstack report, the four flaws that received the most exploitation attempts are:
- CVE-2024-27956: A critical SQL injection flaw in the WordPress Automatic Plugin (40,000+ installs) allowed unauthenticated attackers to run arbitrary SQL via the auth POST parameter in the CSV export feature. Wallarm first reported active exploitation of this flaw in May 2024. Patchstack says its virtual patch blocked over 6,500 attacks this year so far. (fixed in 3.92.1)
- CVE-2024-4345: The Startklar Elementor Addons plugin (5,000+ installs) suffered from an unauthenticated file upload vulnerability due to missing file type validation. Attackers could upload executable files and take over sites. Patchstack blocked such uploads, stopping thousands of attempts. (fixed in 1.7.14)
- CVE-2024-25600: A remote code execution flaw in the Bricks theme (30,000+ installs) allowed unauthenticated PHP execution via the bricks/v1/render_element REST route. Weak permission checks and an exposed nonce enabled the attack. The first signs of active exploitation were spotted by both Patchstack and Wordfence in February 2024. The former now reports it has blocked several hundreds of attempts of unauthorized use of the problematic route. (fixed in 1.9.6.1)
- CVE-2024-8353: The GiveWP plugin (100,000+ installs) was vulnerable to PHP object injection via insecure deserialization of donation parameters like give_ and card_. This could lead to full site takeover. Patchstack filtered malicious patterns and prevented hundreds of compromise attempts. (fixed in 3.16.2)
It is important to note that exploitation attempts don’t always lead to successful compromises, as many of these probes are blocked before they do any harm or the exploits are ineffective in achieving the desired outcome.
However, given that not all websites are protected by Patchstack or other effective website security products, the chances of hackers finding more suitable conditions for exploitation across the WordPress landscape are significant.
Website administrators and owners should apply the latest available security updates on all WordPress add-ons and themes and deactivate those they don’t necessarily need.
Also, make sure that dormant accounts are deleted and strong passwords and multi-factor authentication protect administrator accounts.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
