wordfence.com

9,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP User Frontend Pro WordPress Plugin

On March 24th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP User Frontend Pro, a WordPress plugin with an estimated 9,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.

wordfence.com

Malware Masquerades as Legitimate, Hidden WordPress Plugin with Remote Code Execution Capabilities

The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin containing a comment header, a handful of functions as well as a simple admin interface. Just like previous examples we have seen, this piece of malware contains code that ensures it remains hidden in the administrator dashboard. It has a password extraction feature, which requires configuration through its own admin interface, an AJAX-based remote code execution mechanism and unfinished code suggesting it is still in development.

wordfence.com

15,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in MasterStudy LMS Pro WordPress Plugin

On May 15th, 2025, we received a submission for an Arbitrary File Upload vulnerability in MasterStudy LMS Pro, a WordPress plugin with more than 15,000 estimated active installations. The MasterStudy Education WordPress theme from ThemeForest with more than 21,000 sales also includes the Pro plugin. This vulnerability makes it possible for authenticated users such as subscribers to upload arbitrary files to a vulnerable site and achieve remote code execution in certain configurations, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have enabled the “Media File Manager” and “Assignments” addons in the Pro plugin, both of which are disabled by default.

wordfence.com

Sophisticated & Stealthy Formjacking Malware Targets E-Commerce Checkout Pages

The Wordfence Threat Intelligence team recently uncovered a sophisticated formjacking malware targeting WooCommerce sites. This malware injects a fake payment form into legitimate checkout processes and exfiltrates sensitive customer data to a remote Command & Control (C2) server. Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site’s design and payment workflow, making it particularly difficult for site owners and users to detect.

wordfence.com

10,000 WordPress Sites Affected by Remote Code Execution Vulnerability in UiPress lite WordPress Plugin

On March 29th, 2025, we received a submission for a Remote Code Execution vulnerability in UiPress lite, a WordPress plugin with over 10,000 active installations. This vulnerability can be leveraged to execute code remotely, which makes it possible for attackers to do nearly anything like injecting backdoors, exfiltrating sensitive information, and injection malicious spam or SEO redirects just to name a few impacts.

wordfence.com

50,000 WordPress Sites Affected by PHP Object Injection Vulnerability in Uncanny Automator WordPress Plugin

On April 26th, 2024, we received a submission for an authenticated PHP Object Injection vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be leveraged via an existing POP chain present in the plugin to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution by authenticated subscriber-level attackers possible.

wordfence.com

82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme

On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

wordfence.com

Recently Disclosed SureTriggers Critical Privilege Escalation Vulnerability Under Active Exploitation

On May 2nd, 2025 the Wordfence Threat Intelligence team added a new critical vulnerability to the Wordfence Intelligence vulnerability database in the OttoKit: All-in-One Automation Platform (Formerly SureTriggers) plugin publicly disclosed by a third-party CNA on April 30th, 2025. This vulnerability makes it possible for unauthenticated attackers to gain administrative level access to vulnerable sites, where the site has never used an application password nor connected to SureTriggers or by authenticated attackers with a valid application password.

wordfence.com

Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin

The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name ‘WP-antymalwary-bot.php’, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. Pinging functionality that can report back to a Command & Control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads.

wordfence.com

50,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in Greenshift WordPress Plugin

On April 14th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Greenshift, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

wordfence.com

6,000 WordPress Sites Affected by Arbitrary File Move Vulnerability in Drag and Drop Multiple File Upload for WooCommerce WordPress Plugin

On March 28th, 2025, we received a submission for an Arbitrary File Move vulnerability in Drag and Drop Multiple File Upload for WooCommerce, a WordPress plugin with more than 6,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to move arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

wordfence.com

100,000 WordPress Sites Affected by Administrative User Creation Vulnerability in SureTriggers WordPress Plugin

On March 13th, 2025, we received a submission for an Unauthenticated Administrative User Creation vulnerability in SureTriggers, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key.

wordfence.com

2024 Annual WordPress Security Report by Wordfence

Read the 2024 WordPress Security Report by Wordfence: Despite another record year for disclosed vulnerabilities in 2025, the rising number doesn’t necessarily translate to increased risk for the vast majority of site owners. This article delves into the specifics of the 2024 vulnerabilities published, demonstrating why the heightened disclosure rate shouldn’t be a cause for alarm in the WordPress community.

wordfence.com

50,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Uncanny Automator WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Uncanny Automator, a WordPress plugin with more than 50,000 active installations. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to grant themselves administrative privileges by updating the user role.

wordfence.com

20,000 WordPress Sites Affected by Arbitrary File Upload and Deletion Vulnerabilities in WP Ultimate CSV Importer WordPress Plugin

On March 5th, 2025, we received a submission for an Arbitrary File Upload and an Arbitrary File Deletion vulnerability in WP Ultimate CSV Importer, a WordPress plugin with more than 20,000 active installations. The arbitrary file upload vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover. The arbitrary file deletion vulnerability can be used by authenticated attackers to delete arbitrary files, including the wp-config.php file, which can also make a site takeover possible.