Read Time:1 Minute
Security researchers have identified a wave of attacks where hackers are exploiting arbitrary installation vulnerabilities in the widely-used WordPress platform, targeting websites globally to install malicious plugins and seize control.
In one notable case, the vulnerability tracked as CVE-2024-11972 in the Hunk Companion WordPress plugin allowed unauthenticated attackers to install arbitrary plugins via a REST API endpoint without proper authorization.
Similarly, the Alone Theme for WordPress was found vulnerable under CVE-2025-5394, with over 120,000 exploit attempts blocked after attackers used its “install_plugin” function to upload backdoor ZIP archives and gain full site access.
These attacks are particularly dangerous because installing a plugin silently grants access to the site’s core PHP execution environment, enabling malware deployment, creation of administrator accounts, hosting of phishing pages, or turning the site into a bot-controlled node. The root trigger is missing capability checks and improper endpoint validations in plugins and themes.
The impact extends well beyond small blogs. With WordPress powering over 40% of all websites globally, vulnerabilities in plugins and themes represent a broad target surface for cyber-criminals. Experts warn that website owners and administrators should act immediately. Some estimates suggest that more than 50 % of WordPress site compromises stem from outdated or vulnerable extensions.
To mitigate the threat, security teams recommend the following steps:
Immediately update all plugins and themes to the latest versions.
Audit your site for unfamiliar administrator accounts or plugin installations.
Monitor logs for suspicious POST or AJAX requests targeting endpoints like /wp-admin/admin-ajax.php?action=install_plugin or similar.
Implement a principle of least privilege—disable unused plugins and themes, and remove any that aren’t actively maintained.
If you manage any WordPress website, this is not a “tomorrow” problem—it is happening now. Confirm you’ve patched your environment and verified that no rogue code has already been installed.
In one notable case, the vulnerability tracked as CVE-2024-11972 in the Hunk Companion WordPress plugin allowed unauthenticated attackers to install arbitrary plugins via a REST API endpoint without proper authorization.
Similarly, the Alone Theme for WordPress was found vulnerable under CVE-2025-5394, with over 120,000 exploit attempts blocked after attackers used its “install_plugin” function to upload backdoor ZIP archives and gain full site access.
These attacks are particularly dangerous because installing a plugin silently grants access to the site’s core PHP execution environment, enabling malware deployment, creation of administrator accounts, hosting of phishing pages, or turning the site into a bot-controlled node. The root trigger is missing capability checks and improper endpoint validations in plugins and themes.
The impact extends well beyond small blogs. With WordPress powering over 40% of all websites globally, vulnerabilities in plugins and themes represent a broad target surface for cyber-criminals. Experts warn that website owners and administrators should act immediately. Some estimates suggest that more than 50 % of WordPress site compromises stem from outdated or vulnerable extensions.
To mitigate the threat, security teams recommend the following steps:
Immediately update all plugins and themes to the latest versions.
Audit your site for unfamiliar administrator accounts or plugin installations.
Monitor logs for suspicious POST or AJAX requests targeting endpoints like /wp-admin/admin-ajax.php?action=install_plugin or similar.
Implement a principle of least privilege—disable unused plugins and themes, and remove any that aren’t actively maintained.
If you manage any WordPress website, this is not a “tomorrow” problem—it is happening now. Confirm you’ve patched your environment and verified that no rogue code has already been installed.