Summary: A recent Patchstack report reveals critical vulnerabilities in several WordPress plugins that hackers exploited in early 2025. The report highlights four significant flaws that, despite being fixed in 2024, remain unpatched in numerous installations, leaving many sites at risk. It emphasizes the importance of applying security updates and using effective website security measures to mitigate risks.
Affected: WordPress Plugins and Themes
Keypoints :
- CVE-2024-27956: SQL injection flaw allowing unauthenticated attacks on WordPress Automatic Plugin.
- CVE-2024-4345: File upload vulnerability in Startklar Elementor Addons due to missing type validation.
- CVE-2024-25600: Remote code execution risk in Bricks theme via weak permission checks.
- CVE-2024-8353: PHP object injection vulnerability in GiveWP plugin that could lead to full site takeover.
- Exploitation attempts often blocked beforehand, but many sites remain unprotected.
- Website administrators are urged to apply security updates and enhance account security practices.