WordPress Security Alert: Plugin Hijacked and Vulnerabilities Exposed

Edward Zhou
Edward Zhou

CEO & Founder

 
July 17, 2025 3 min read

WordPress Plugin Malware Incident

WordPress logo on mobile
Image courtesy of TechRadar

A popular WordPress plugin, Gravity Forms, was compromised to deliver malware for a limited time. The malicious variant harvested extensive site data and allowed for remote code execution (RCE). The attack specifically targeted manual downloads and composer installations.

Security researchers from PatchStack identified that the Gravity Forms website was infiltrated, leading to the distribution of compromised installation files. There are conflicting reports regarding the timeline of this incident. According to PatchStack, users could download infected versions from July 10 and 11, whereas Gravity Forms' CEO, Carl Hancock, clarified that the malicious .ZIP file was only available for a few hours starting July 9, 2023.

The malware had the capability to block updates, contact external servers for additional payloads, and create an admin account for attackers to gain complete control over the affected sites. The incident was restricted to the gravityforms.com marketing and customer account site, which operates separately from the Gravity Forms licensing and update service.

The first clean version of the add-on, Gravity Forms 2.9.13, has since been made available.

For more details, refer to TechRadar's full coverage and BleepingComputer's report.

WordPress XML-RPC Vulnerability

Potential consequences of takeover early leaks
Image courtesy of Imperva

A newly discovered vulnerability could allow attackers to exfiltrate the titles of private and draft posts on WordPress sites via XML-RPC payloads. This vulnerability potentially affects all WordPress installations, making it imperative for users to update their systems and disable the XML-RPC endpoint if not in use.

The attack exploits the XML-RPC feature, which is enabled by default in WordPress installations since version 3.5. The attacker sends a series of POST requests to the XML-RPC endpoint, which can leak sensitive information based on server responses.

Imperva warns that leaking post titles can result in significant financial harm and reputational damage, with examples such as Google's early earnings report leak, which led to a drastic drop in stock prices.

Imperva has created a script to test for this vulnerability and recommends using Web Application Firewall (WAF) technology or disabling the pingback functionality as mitigation strategies.

For further information, check the detailed report on Imperva's blog.

wp-cron.php Exploit Risks

Your WordPress site may face serious risks due to vulnerabilities within the wp-cron.php script, which manages scheduling tasks such as post updates and plugin checks. If exploited, this script can lead to server overload, downtime, and data loss.

To reproduce the vulnerability, an attacker can simply send excessive requests to the wp-cron.php endpoint. This can result in a Denial of Service (DoS) attack, causing the site to become unresponsive or generate error messages.

To secure your WordPress site, it is recommended to disable the default behavior of wp-cron.php by adding the following line to your wp-config.php file:

define('DISABLE_WP_CRON', true);

Furthermore, setting up a server-side cron job to run wp-cron.php at specified intervals can enhance security.

For more information on securing your WordPress site, refer to Gyanendra Singh's article.

WordPress Security Insights

Is WordPress secure?
Image courtesy of Kinsta

Despite being the most popular content management system, WordPress sites are frequently targeted by hackers. A significant number of these hacks occur due to preventable issues such as outdated plugins and themes or weak passwords.

According to a 2023 report by Sucuri, 39.1% of hacked CMS websites were running outdated software. Additionally, plugins were responsible for 96.77% of new security vulnerabilities in 2023. Cross-Site Scripting (XSS) vulnerabilities accounted for the majority of these issues.

To enhance security, it is crucial to keep WordPress core software, plugins, and themes updated. Utilizing strong passwords and employing secure hosting environments are also effective measures.

For more detailed statistics and insights into WordPress security, visit Kinsta's security report.

For businesses looking to secure their WordPress sites against these vulnerabilities, consider exploring undefined's services for comprehensive solutions tailored to your needs. Reach out to us at undefined for expert assistance in safeguarding your online presence.

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article