Monday, May 5, 2025
HomeCVE/vulnerabilityWordpress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks

WordPress Plugin Vulnerability Exposes 3 Million Websites to Injection Attacks

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability has been identified in the popular UpdraftPlus: WP Backup & Migration Plugin, potentially impacting over 3 million WordPress websites.

This security flaw allows unauthenticated attackers to exploit a PHP Object Injection vulnerability through deserialization of untrusted input.

The issue affects all versions of the plugin up to and including 1.24.11. A patch has been released in version 1.24.12 to address this significant risk.

- Advertisement - Google News

Vulnerability Details

The vulnerability has been officially documented as CVE-2024-10957, with a CVSS score of 8.8, categorizing it as a high-risk issue.

The vulnerability emerged from the recursive_unserialized_replace function within the plugin’s code. This flaw allows attackers to inject PHP Objects, affecting the security of websites using the plugin.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Importantly, no known Proof of Concept (PoC) chains have been reported in the vulnerable software itself; however, if an additional plugin or theme also contains a vulnerability, the risks could escalate significantly.

According to researcher Webbernaut in the Wordfence report, the exploitation of this vulnerability requires an administrator to perform a search and replace action, which essentially triggers the exploit.

Once executed, it could lead to several severe consequences, including unauthorized file deletions, retrieval of sensitive user data, and even remote code execution. This vulnerability emphasizes the importance of routine updates and vigilance in maintaining WordPress installations.

For website owners using the UpdraftPlus plugin, it is essential to take immediate action to mitigate this vulnerability. The recommended remediation is straightforward: update the plugin to version 1.24.12 or any subsequent patched version.

The ease of updating plugins through the WordPress dashboard can significantly reduce the window of exposure to potential attacks.

Website administrators are urged to review their WordPress installations, including all active plugins, for any potential vulnerabilities. Ensuring that all software components are up-to-date is crucial in maintaining a secure online presence.

As the digital landscape continues to evolve, so do the threats posed by cyber attackers. Staying informed about vulnerabilities like CVE-2024-10957 and acting promptly to apply necessary updates can prevent significant security breaches.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...