WordPress has been appearing frequently in cybersecurity news recently. Most reports focus on vulnerabilities in plugins and themes. However, our team has also seen cases where attackers leveraged poorly secured WordPress sites to distribute trojans. This isn’t shocking, given WordPress’s massive popularity as a CMS. Still, the sheer volume of plugin vulnerabilities and related incidents highlights how closely attackers are monitoring the WordPress ecosystem.
WordPress Incidents
This summer, several significant security incidents related to WordPress have emerged.
Gravity Forms plugin: site compromise and code injection
In early July, attackers compromised a site using the Gravity Forms plugin, a widely-used form builder, injecting malicious code into versions 2.9.11.1 and 2.9.12. Sites with these versions installed manually or via Composer were infected between July 9 and 10.
The malware blocked updates, installed additional malicious code, and created new admin accounts, granting attackers full control over the site for malicious purposes.
The Gravity Forms team urges all users to verify their plugin version. Detailed instructions for checking and removing the malware are available in the official notice. Users should also update to version 2.9.13 immediately.
Alone theme: exploitation of CVE-2025-5394
In July, security researchers reported active exploitation of a critical flaw (CVE-2025-5394) in the Alone WordPress theme, up to version 7.8.3. This vulnerability allowed unauthenticated file uploads, enabling remote code execution (RCE) and full site control.
Interestingly, attacks started days before the official disclosure. By June 12, Wordfence reported over 120,000 attempts to exploit this vulnerability. Attackers uploaded ZIP files containing webshells, installed backdoors, and created hidden admin accounts. Some even installed full-featured file managers to control the site’s database completely.
The Alone theme developers released version 7.8.5 to patch the flaw. Users are strongly advised to update immediately and follow the guidance provided by Wordfence to secure their sites.
Motors theme: exploitation of CVE-2025-4322
In June, attackers also targeted WordPress sites using the premium Motors theme. They exploited CVE-2025-4322, a vulnerability in the user validation process affecting versions up to 5.6.67, allowing attackers to hijack admin accounts.
StylemixThemes released a patched version 5.6.68 on May 14, 2025. Despite Wordfence’s warnings, some users delayed updating, and attacks began May 20. By June 7, Wordfence recorded over 23,000 attempts.
Exploiting CVE-2025-4322 gives attackers full admin rights, enabling them to create accounts and reset passwords.
Efimer malware: spread via compromised WordPress sites
In early August, our team investigated an attack involving Efimer malware — primarily designed to steal cryptocurrency. While it spread via email and malicious torrents, some infections originated from compromised WordPress sites.
Efimer includes a WordPress password cracker that launches brute-force attacks on admin panels using standard passwords. Any successful logins are sent back to the attackers’ servers.
Potentially Risky Vulnerabilities
Several other vulnerabilities have been reported, though not yet widely exploited. The Motors case shows attackers can act quickly, so monitoring these flaws is essential.
GiveWP: vulnerability in donation plugin
In late July, the Pi-hole project team found a vulnerability in the GiveWP plugin. This plugin manages online donations and fundraising campaigns.
The flaw exposed donor information, including names and emails, in the page source without authentication.
GiveWP released a patch on GitHub shortly after discovery. However, nearly 30,000 users’ data were already exposed, as noted by Have I Been Pwned. Administrators should update to version 4.6.1 or later.
Post SMTP: CVE-2025-24000 allows admin takeover
CVE-2025-24000, rated 8.8 on CVSS, affects Post SMTP plugin versions up to 3.2.0. The vulnerability in the REST API lets low-privilege users access email logs, enabling them to reset admin passwords and gain full access.
The patched version 3.3.0 was released on June 11, but only 51.2% of users updated, leaving over 200,000 sites exposed.
Protecting Your WordPress Site
While plugins and themes enhance WordPress, they also increase attack risks. Follow these best practices:
- Limit plugins and themes to essential ones only.
- Test plugins in a safe environment and inspect for backdoors before installation.
- Choose widely used plugins for quicker vulnerability fixes.
- Avoid abandoned plugins and themes.
- Monitor for suspicious admin accounts or unusual password failures.
- Enforce strong passwords and mandatory two-factor authentication.
- Act promptly if a hack is suspected. If needed, seek external help to minimize damage.