Introduction
WordPress remains the backbone of millions of websites, offering flexibility and scalability through its extensive library of plugins and themes. However, this same openness also makes it a frequent target for cyber threats. Attackers are constantly scanning for outdated software, unpatched vulnerabilities, and misconfigurations that can be exploited to gain unauthorized access.
The reality is clear: many WordPress sites remain vulnerable long after security flaws are disclosed, simply because updates are delayed or neglected. In this environment, relying solely on developer-issued patches isn’t enough—proactive security measures are essential.
This is where Patchstack’s virtual patches (vPatches) come in. By neutralizing known exploits with precision-crafted firewall rules, vPatches protect websites in real time, preventing attackers from taking advantage of unpatched vulnerabilities. Instead of waiting for an official fix, website owners can stay ahead of threats and ensure uninterrupted security.
Recent exploited vulnerabilities and how our vPatches blocked them
Last month alone, we designed and deployed more than 500 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.
In addition to continually adding more vPatches to cover new vulnerabilities, Patchstack is also expanding its protection beyond WordPress, now securing standalone PHP pages where WordPress isn’t loaded, through auto_prepend_file (opt-in, currently in beta). This means that even if a vulnerability exists outside of the WordPress environment—such as in custom PHP scripts or legacy applications, our virtual patches can still detect and block exploitation attempts, ensuring comprehensive security across your entire website.
Here are now some of the most interesting vulnerabilities exploited this quarter:
Automatic Plugin – AI plugin
Unauthenticated Arbitrary SQL Execution Vulnerability
WordPress Automatic Plugin – AI content generator and auto poster plugin <= 3.92.0 – Unauthenticated Arbitrary SQL Execution vulnerability (CVE-2024-27956)
- This Critical vulnerability affecting a popular plugin with 40K+ installations could allow unauthenticated attackers to execute arbitrary SQL queries on the database, by taking advantage of a vulnerable authentication mechanism in the CSV export feature (inc/csv.php) via the “auth” POST parameter
- Patchstack immediately released a vPatch blocking any malicious requests containing possible authentication bypass along with the SQL query parameter
More than 6.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Startklar Elementor Addons plugin
Unauthenticated Arbitrary File Upload Vulnerability
WordPress Startklar Elementor Addons plugin <= 1.7.13 – Unauthenticated Arbitrary File Upload vulnerability (CVE-2024-4345)
This Critical vulnerability affecting the WordPress Startklar Elementor Addons plugin (currently closed for security reasons), allowed unauthenticated attackers to upload arbitrary files to the webserver, ultimately leading to the website’s takeover.
- In vulnerable versions, the plugin’s “startklar_drop_zone_upload_process“ action did not properly validate uploaded file types, as such enabling anyone to upload malicious files, potentially making remote code execution possible.
- Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request to the vulnerable action when it also includes files with file types that may contain executable code.
Several thousands of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
WordPress Bricks theme <= 1.9.6 – Unauthenticated Remote Code Execution (RCE) vulnerability (CVE- 2024-25600)
This plugin with an estimate of 30K+ active users suffered from a security flaw that allowed unauthenticated users to execute arbitrary PHP code, leading to the website’s takeover.
- The vulnerability resided in the “prepare_query_vars_from_settings” function, called via the “bricks/v1/render_element” REST route. No capability check was in place, and the plugin’s nonce check was easily bypassed since the said nonce would be available to anyone accessing the frontend.
- Patchstack’s vPatch was deployed on our affected clients’ websites, protecting them from any exploitation attempts by blocking requests for the vulnerable route when “useQueryEditor” was used while the user doesn’t have sufficient permissions.
Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
GiveWP plugin
PHP Object Injection Vulnerability
WordPress GiveWP plugin <= 3.16.3 – Unauthenticated PHP Object Injection to Remote Code Execution vulnerability (CVE-2024-8353)
- This Critical vulnerability affecting a popular donation plugin with 100k+ installations suffered (again) from a flaw that allowed unauthenticated attackers to perform PHP Object Injection attacks because of an improper deserialization of multiple parameters during the donation process, including those prefixed by “give_” or “card_” . This could ultimately lead to the website’s takeover.
- Patchstack immediately released a vPatch blocking any malicious requests containing known PHP object patterns in the vulnerable parameter.
Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Key takeaways and conclusion
A strong WordPress security strategy goes beyond routine updates—it requires real-time threat mitigation to stay ahead of attackers. While official patches are necessary, they often arrive after threats have already been exploited.
By combining Patchstack’s proactive security with smart practices like regular updates, monitoring, and minimizing unnecessary plugins, you can build a strong, resilient defense against cyber threats.
Stay informed with our latest updates to keep your WordPress site protected against evolving cyber threats.
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
