Full Report
A new report sheds light on the most targeted WordPress plugin vulnerabilities hackers used in the first quarter of 2025 to compromise sites. [...]
Analysis Summary
# Vulnerability: Top 4 Exploited WordPress Flaws in Q1 2025
## CVE Details
The article mentions four distinct CVEs, but only partial information (CVE ID, fix version) is provided for the first one, and specific CVSS scores are missing for all.
- CVE ID: **CVE-2024-XXXX** (The first mentioned flaw is fixed in version 3.92.1, but the CVE ID is truncated/missing in the provided text, only implying it's one of the top 4 targeted flaws.)
- CVE ID: **CVE-2024-4345**
- CVE ID: **CVE-2024-25600**
- CVE ID: **CVE-2024-8353**
- CVSS Score: [Not specified in the source]
- CWE: [Not specified in the source, except implied via vulnerability type: File Upload, RCE, Object Injection]
## Affected Systems
- **Products:** Multiple WordPress plugins and themes:
1. Unnamed Flaw (Fixed in version 3.92.1)
2. Startklar Elementor Addons plugin
3. Bricks theme
4. GiveWP plugin
- **Versions:**
1. Unnamed Flaw: Versions prior to 3.92.1
2. Startklar Elementor Addons: Prior to 1.7.14
3. Bricks theme: Prior to 1.9.6.1
4. GiveWP plugin: Prior to 3.16.2
- **Configurations:** The specific configuration needed for exploitation varies by plugin (e.g., unauthenticated access necessary for Bricks and Elementor extensions).
## Vulnerability Description
The summary highlights four frequently targeted vulnerabilities in Q1 2025 across the WordPress ecosystem:
1. **Unnamed Flaw (Fix 3.92.1):** A vulnerability that saw hundreds of attacks but is not detailed further here.
2. **CVE-2024-4345 (Startklar Elementor Addons):** An unauthenticated file upload vulnerability caused by missing file type validation, allowing attackers to upload executable files and achieve site takeover.
3. **CVE-2024-25600 (Bricks theme):** A Remote Code Execution (RCE) flaw via the `bricks/v1/render_element` REST route. Weak permission checks and an exposed nonce allowed unauthenticated PHP execution.
4. **CVE-2024-8353 (GiveWP plugin):** A PHP object injection vulnerability arising from insecure deserialization of donation parameters (like `give\_` and `card\_`), which could lead to a full site takeover.
## Exploitation
- **Status:** Exploited in the wild (or targeted heavily). Active exploitation for CVE-2024-25600 was spotted in February 2024. Hundreds of attempts were blocked across several vulnerabilities.
- **Complexity:** Implied to be **Low** or **Medium** given the high volume of automated attack attempts observed by security vendors like Patchstack.
- **Attack Vector:** Primarily **Network** (Remote, Unauthenticated access required for RCE/Upload flaws).
## Impact
The primary impact across these flaws involves high-severity outcomes:
- **Confidentiality:** High (Potential for data theft via RCE/Site Takeover)
- **Integrity:** High (Site takeover, code execution, modification of files)
- **Availability:** High (Potential for site defacement or downtime following successful compromise)
## Remediation
### Patches
Administrators should immediately update all affected components:
- **Unnamed Flaw:** Update to version **3.92.1** or later.
- **CVE-2024-4345:** Update Startklar Elementor Addons to version **1.7.14** or later.
- **CVE-2024-25600:** Update Bricks theme to version **1.9.6.1** or later.
- **CVE-2024-8353:** Update GiveWP plugin to version **3.16.2** or later.
### Workarounds
General security best practices are recommended for mitigation:
1. Apply the latest security updates on all WordPress add-ons and themes.
2. Deactivate any themes or plugins not strictly necessary.
3. Delete dormant administrator accounts.
4. Ensure administrator accounts are protected by strong passwords and Multi-Factor Authentication (MFA).
## Detection
Detection relies primarily on Web Application Firewalls (WAFs) or security scanners monitoring ingress traffic:
- **Indicators of Compromise:** High volume of POST/GET requests targeting REST API routes (specifically `bricks/v1/render_element` for CVE-2024-25600) or file upload attempts against plugins.
- **Detection Methods and Tools:** Security solutions like Patchstack or Wordfence were successful in blocking malicious patterns related to PHP object injection and unauthorized file uploads. Administrators should ensure WAFs are configured to block suspicious payloads targeting known deserialization points or file upload forms.
## References
- [Source Article (BleepingComputer)](https://www.bleepingcomputer.com/news/security/the-four-wordpress-flaws-hackers-targeted-the-most-in-q1-2025/)
- [CVE-2024-25600 exploitation details](https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce-flaw-in-bricks-wordpress-site-builder/)
- [MITRE ATT&CK Report Link (General Defense Strategy)](https://hubs.li/Q039Tm490)