Q3 2025's Most Exploited WordPress Vulnerabilities and How Patchstack’s RapidMitigate Blocked Them

Published 30 September 2025
Table of Contents

WordPress powers a huge portion of the web, and its extensibility (plugins, themes, and custom code) is both its strength and its greatest security risk. When vulnerabilities appear in popular plugins or in bespoke site code, attackers move quickly to exploit them; the real danger today is not obscure zero-days but known flaws left unpatched in production sites.

In controlled tests conducted by Patchstack, standard hosting defenses failed to stop most real-world WordPress exploits, with 87.8% of tested attacks bypassing host-level protections and only Patchstack’s RapidMitigate application-layer mitigation preventing full compromise.

That finding underlines a practical truth: perimeter defenses (network firewalls, edge WAFs, server hardening) are necessary, but they are not sufficient by themselves.

Many hosting providers and third-party tools do provide meaningful protection for generic threats (bot traffic, basic SQLi/XSS patterns, DDoS), yet WordPress-specific logic flaws, privilege escalation bugs, and certain file-handling vulnerabilities frequently slip through those controls. In the Patchstack tests, several hosts blocked few or none of the tested plugin exploits, leaving the application layer as the final and decisive line of defense.

Patchstack’s approach is to neutralize exploitation attempts at the application level through its RapidMitigate solution, deploying precise mitigation rules in real time to block exploit patterns until site owners can apply permanent fixes.

Recent exploited vulnerabilities and how RapidMitigate blocked them

Last month alone, we designed and deployed more than 250 new mitigation rules in RapidMitigate to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.

Here are now some of the most interesting vulnerabilities exploited this quarter:

Ottokit (formerly SureTriggers) plugin

Privilege Escalation Vulnerability

100K
CVSS 9.8

WordPress OttoKit (formerly SureTriggers) plugin <= 1.0.82 - Privilege Escalation Vulnerability (CVE-2025-27007)

  • This Critical vulnerability affecting a popular plugin with 100K+ installations could allow unauthenticated attackers to execute a wide range of actions (up to RCE) on the affected WordPress installation, by exploiting a flawed authentication mechanism.
  • The “sure-triggers/v1/connection/create-wp-connection” REST route allowed adding a new connection key by verifying only a guessable username. The resulting connection key could then be used to perform sensitive actions, including creating new administrative accounts.
  • Patchstack immediately released a mitigation rule blocking any malicious requests targeting the vulnerable REST route.

Several thousands of attempts to exploit vulnerable versions of the plugin have been blocked since rule deployment.

FunnelKit Automations plugin

Unauthenticated Arbitrary Plugin Installation Vulnerability

20K
CVSS 9.8

WordPress FunnelKit Automations plugin <= 3.5.3 - Unauthenticated Arbitrary Plugin Installation vulnerability (CVE-2025-1562)

This plugin, with an estimated 20K+ active users, was affected by a security flaw that allowed unauthenticated users to install arbitrary plugins, which could ultimately lead to a website takeover if a deliberately vulnerable plugin was installed.

  • The vulnerability resided in the “install_or_activate_addon_plugins” function, called via the “plugin/install_and_activate” route. A weak nonce hash check was in place, that, if passed, would then skip the capability check, failing to properly restrict access to the endpoint.
  • Patchstack's mitigation rule was deployed on our affected clients’ websites, protecting them from exploitation attempts by blocking requests to the vulnerable route when the user does not have sufficient permissions.

Several thousands of attempts to exploit vulnerable versions of the plugin have been blocked since rule deployment.

WordPress Depicter Slider plugin <= 3.6.1 - Unauthenticated SQL Injection vulnerability (CVE- 2025-2011)

This vulnerability affecting the WordPress Depicter Slider plugin allowed unauthenticated attackers to inject extra SQL queries into regular ones and thereby obtain sensitive information stored in the database.

  • In vulnerable versions, the plugin’s “s” parameter (used for search) was not properly sanitized before being used in SQL queries, thereby enabling anyone to perform additional SQL queries on the website’s database, potentially exposing sensitive data.
  • Patchstack’s clients were automatically protected from this vulnerability with a mitigation rule blocking any request to several “depicter-*” actions involving the “s” parameter, when it also contained characters that could potentially lead to an SQL injection.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since rule deployment.

Kubio AI Page Builder plugin

Unauthenticated Local File Inclusion Vulnerability

100K
CVSS 9.8

WordPress Kubio AI Page Builder plugin <= 2.5.1 - Unauthenticated Local File Inclusion vulnerability (CVE-2025-2294)

  • This vulnerability affecting a popular page builder plugin with 100K+ installations allowed unauthenticated attackers to include and execute arbitrary files on the server via the “__kubio-site-edit-iframe-classic-template” parameter, due to improper sanitization and the lack of an allowlist. This could ultimately lead to sensitive data exposure, or in rare cases, remote code execution (RCE).
  • Patchstack immediately released a mitigation rule blocking any malicious requests containing known Local File Inclusion patterns in the vulnerable parameter.

Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.

Key takeaways and conclusion

Attackers continue to exploit the same weaknesses quarter after quarter because too many sites remain unpatched or rely solely on generic hosting defenses. The lesson is clear: updates matter, but timing matters even more. Once a vulnerability is disclosed, adversaries are already weaponizing it, and waiting days or weeks to apply fixes leaves a dangerous gap.

Patchstack’s RapidMitigate close that gap by blocking exploitation attempts in real time, giving site owners the breathing room they need to update safely. Combined with disciplined practices (applying updates promptly, removing unused plugins, and monitoring for suspicious activity) this layered approach turns WordPress from an easy target into a resilient platform.

Staying one step ahead of attackers requires awareness, speed, and the right tools. Keep following our updates to know which vulnerabilities are being exploited right now, and how Patchstack can help you stop them before they cause damage.

🤝 You can help us make the Internet a safer place

Plugin developer?

Streamline your disclosure process to fix vulnerabilities faster and comply with CRA.

Get started for free
Hosting company?

Protect your users too! Improve server health and earn added revenue with proactive security.

Patchstack for hosts
Security researcher?

Report vulnerabilities to our gamified bug bounty program to earn monthly cash rewards.

Learn more

The latest in WordPress Security

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu