In March 2025, a wave of critical vulnerabilities was uncovered, posing a significant threat to popular WordPress plugins and themes. With a CVSS base score of 9.8/10 (CRITICAL), these vulnerabilities range from local file inclusion and SQL injection to authentication bypasses and arbitrary file uploads. If left unaddressed, they can lead to full site takeovers, data breaches, malware injections, and significant downtime, jeopardizing the functionality and reputation of affected websites.

What makes these vulnerabilities particularly alarming is their potential impact. Many of them can be exploited by unauthenticated attackers, requiring no prior access to the website. Given WordPress's extensive global reach, even a single unpatched plugin can pave the way for widespread exploitation across thousands of sites. For e-commerce platforms, membership portals, and content-driven businesses, this kind of exposure can result in compromised user data, defaced content, and loss of customer trust.

This article highlights the ten most dangerous security threats discovered last month and underscores the importance of comprehensive website protection. It explains how each vulnerability works and outlines its potential impact on WordPress environments. In addition, it emphasizes how Quttera's web security services can play a crucial role in detecting, preventing, and mitigating such threats, providing a shield against potential attacks.

This vulnerability allows unauthenticated users to modify data in the Checkout Mestres do WP plugin without proper authorization. An attacker can escalate privileges through this flaw, potentially gaining administrative access to the WordPress site. This kind of privilege escalation can lead to full site compromise allowing an attacker to install malicious plugins, steal data, or deface content.
Because no login or interaction is required, this vulnerability can be exploited remotely and automatically, making it extremely dangerous for exposed websites.

Vulnerability Type: Unauthorized Data Modification / Privilege Escalation
Affected Plugin: Checkout Mestres do WP for WooCommerce
Base Score
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• It can be exploited over the internet; no local access is needed
• Attack is simple with no special conditions
• Works with no privileges or login
• No user interaction is required
• High impact on confidentiality, integrity, and availability

All versions of the Kubio AI Page Builder plugin are affected by a Local File Inclusion (LFI) vulnerability. This flaw allows attackers to manipulate file paths to gain access to sensitive server files, such as configuration files (wp-config.php) or log files.

Because this vulnerability can be triggered without authentication, attackers can exploit it remotely to read system files, extract database credentials, or execute malicious scripts under specific server configurations. Sometimes, LFI can lead to Remote Code Execution (RCE), especially when combined with other vulnerabilities.

The broad install base of Kubio AI Page Builder makes this flaw a high-value target for automated attacks and botnets scanning WordPress ecosystems for weak points.

Vulnerability Type: Local File Inclusion (LFI)
Affected Plugin: Kubio AI Page Builder
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• Exploitable over the network (e.g., internet)
• Low complexity, requires no special tricks
• No login or credentials are needed
• No user action is necessary (no clicking or input)
• Severe impact on data, control, and site uptime

This LFI vulnerability represents a high-risk vector that, if left unpatched, can completely compromise the WordPress site.

This critical vulnerability allows for PHP Object Injection in the Export All Posts, Products, Orders, Refunds & Users plugin. PHP Object Injection occurs when untrusted user input is unserialized in the backend without proper validation, allowing an attacker to inject arbitrary objects into the application’s memory.

If a vulnerable class exists, the attacker can exploit this flaw to execute arbitrary code, delete files, or gain unauthorized access to sensitive functions. In the worst cases, it can lead to a complete site takeover, data theft, or even server-level compromise—especially if combined with other vulnerabilities.

Since the attack is possible without authentication, and the plugin deals with large amounts of user and order data, the impact is especially severe for e-commerce and membership-based WordPress sites.

Vulnerability Type: PHP Object Injection
Affected Plugin: Export All Posts, Products, Orders, Refunds & Users
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• It can be triggered remotely via network
• Low complexity, easy to execute
• No authentication required
• No user action is necessary (no clicks or logins)
• Allows complete compromise of confidentiality, integrity, and availability

The ease of exploitation and extreme potential damage make this one of the most dangerous vulnerabilities in any plugin.

In versions prior to 3.2.8.2, the Pods—Custom Content Types and Fields plugin fails to sanitize and escape a parameter before using it in an SQL statement. While the vulnerability requires admin-level access to exploit, the lack of input validation opens the door to SQL Injection, one of the most dangerous classes of web vulnerabilities.

An attacker—especially one who has compromised an admin account or is operating in a multi-admin environment—can manipulate backend database queries. This can result in:

• Extraction of sensitive data (e.g., user credentials, emails)
• Data tampering or deletion
• Insertion of malicious scripts
• Full database compromise

Even though this flaw originates from an administrative action, it still qualifies as critical due to the catastrophic potential of successful exploitation.

Vulnerability Type: SQL Injection (via unsanitized parameter)
Affected Plugin: Pods – Custom Content Types and Fields
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• It can be exploited remotely
• The attack is easy to perform
• Initially, no special privileges are required (may still be relevant in admin-access scenarios via other exploits)
• No user interaction is needed
• Can fully compromise data confidentiality, integrity, and availability

Even though this case assumes an admin initiates the exploit, the flaw's nature and severity still pose a high risk—especially if paired with chained vulnerabilities or account hijacking.

The Age Gate plugin, widely used for age verification and content restriction, contains a critical flaw that allows Local PHP File Inclusion (LFI). This vulnerability enables attackers to include arbitrary PHP files stored on the server—such as WordPress core files or sensitive configuration files like wp-config.php.

Because the vulnerability is accessible without authentication and can be exploited remotely, it opens the door to severe consequences:

• Disclosure of database credentials and API keys
• Execution of unintended PHP code
• Remote Code Execution (RCE), when combined with file upload vulnerabilities
• Complete takeover of the website

Attackers can craft malicious requests that exploit insecure file-handling routines, potentially leading to complete control over the system.

Vulnerability Type: Local PHP File Inclusion (LFI)
Affected Plugin: Age Gate (WordPress plugin)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• Exploitable over the network (e.g., through HTTP requests)
• Requires low skill and minimal setup
• No login or privileges are needed to exploit
• No action is required from the user
• Results in complete compromise of data confidentiality, integrity, and availability

The ease of exploitation combined with the high damage potential makes this LFI vulnerability extremely dangerous, particularly for high-traffic or content-sensitive WordPress sites.

The File Away plugin suffers from a critical vulnerability due to two major security oversights:

• Missing capability checks – the plugin doesn't properly verify whether the user can perform specific actions.
• Missing file type validation allows attackers to upload any type of file, including executable scripts like .php.

These issues allow unauthenticated attackers to upload malicious files directly to the server. Once uploaded, these files can be executed to:

• Gain full remote access to the WordPress site
• Install backdoors or web shells
• Steal data or manipulate site content
• Launch further attacks on other websites hosted on the same server

Arbitrary file upload vulnerabilities are among the most dangerous in WordPress security, especially when no authentication is required.

Vulnerability Type: Arbitrary File Upload
Affected Plugin: File Away (WordPress plugin)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• It can be exploited over the network, such as with HTTP POST requests
• Requires minimal effort to execute
• No login or user permissions are required
• Victims don’t need to click or do anything
• This leads to a full compromise of confidentiality, integrity, and availability

In simple terms, this vulnerability allows anyone to upload anything to your site—and that’s a big deal.

The Traveler theme, widely used in travel booking and hospitality websites, contains a Local File Inclusion (LFI) vulnerability. This flaw allows attackers to manipulate file path inputs and force the server to include unintended PHP files—including sensitive configuration files or scripts that can be exploited.

Because this vulnerability can be triggered without authentication, it represents a high risk, especially for public-facing WordPress installations. An attacker can potentially:

• View sensitive files (e.g., wp-config.php, logs, or backups)
• Leak database credentials and API keys
• Execute PHP files stored on the server
• Escalate the attack to Remote Code Execution (RCE) if certain conditions are met

This is especially dangerous for high-traffic sites where threat actors can attempt large-scale mass exploitation.

Vulnerability Type: Local File Inclusion (LFI)
Affected Theme: Traveler (WordPress theme)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• Can be exploited remotely (e.g., via URL manipulation)
• Low complexity, simple to craft payloads
• No login required, works anonymously
• It does not require any user interaction
• Affects all three: Confidentiality, Integrity, and Availability

The ability to include arbitrary files on the server without any authentication or interaction makes this one of the most critical issues to patch immediately—especially for sites relying on Traveler for bookings, customer data, or e-commerce.

The Realteo plugin, integrated with the popular Findeo real estate theme, contains a serious vulnerability that allows unauthenticated users to bypass authentication. In other words, an attacker can gain access to protected areas of the WordPress site without valid credentials.

This flaw is particularly dangerous on websites that:

• Allow user registration and account management
• Store private client data, listings, and inquiries
• Provide agent dashboards or admin functions

Once exploited, attackers can:

• Impersonate other users (including admins)
• Alter or delete property listings and customer records
• Inject malicious code or backdoors
• Lockout legitimate users and fully compromise the site

Vulnerability Type: Authentication Bypass
Affected Plugin: Realteo – Real Estate Plugin
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• The attack can be launched over the internet
• Exploitation is easy
• No authentication or login is required
• It does not require any user interaction
• Threatens complete confidentiality, integrity, and availability

This authentication bypass is particularly critical because it effectively nullifies all user access controls, allowing attackers to step directly into protected roles. This poses a serious risk to real estate platforms handling sensitive user data and transactions.

The HUSKY—Products Filter Professional for WooCommerce plugin, the popular software for enhancing WooCommerce stores with advanced product filtering, is affected by a Local File Inclusion (LFI) vulnerability. This flaw occurs when attackers can manipulate file paths in plugin parameters, forcing the inclusion of unintended files on the server.

Since this plugin is widely adopted in e-commerce environments, the consequences of this vulnerability are severe. Exploiting the flaw allows unauthenticated attackers to:

• Access sensitive files, such as wp-config.php, which contains database credentials and security keys
• Execute arbitrary PHP scripts already present on the server
• Chain the attack with other vulnerabilities (e.g., file upload flaws) to achieve Remote Code Execution (RCE)

In short, this LFI vulnerability gives attackers a dangerous foothold into the website's backend posing a significant risk to data, uptime, and trust.

Vulnerability Type: Local File Inclusion (LFI)
Affected Plugin: HUSKY – Products Filter Professional for WooCommerce (WordPress plugin)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• Exploitable remotely over the internet
• Low complexity – easy to reproduce
• No privileges are required – anyone can attempt it
• No user interaction is needed
• Could fully compromise confidentiality, integrity, and availability

This means an attacker doesn’t need to log in, doesn’t need help from users, and can potentially do maximum damage with just a well-crafted URL.

The WP-Recall plugin—commonly used to extend WordPress with user registration, profile management, e-commerce, and community features—is vulnerable to SQL Injection. This vulnerability occurs when input is improperly validated before being used in SQL queries, allowing attackers to inject malicious SQL code into the database layer.

Because this vulnerability is unauthenticated (it can be triggered without logging in), it poses an extreme threat. A successful attack can allow threat actors to:

• Extract sensitive information (e.g., user credentials, emails, payment data)
• Modify or delete content
• Create admin accounts
• Completely take over the site

Vulnerability Type: SQL Injection
Affected Plugin: WP-Recall – Registration, Profile, Commerce & More (WordPress plugin)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Breakdown:

• It can be launched over the internet
• Very easy to execute
• No login required
• Requires no user interaction
• It can expose data, corrupt content, and bring down the site

SQL Injection vulnerabilities remain among the most serious web security threats. When found in user-related or e-commerce plugins like WP-Recall, they can lead to full compromise of data and infrastructure.

WordPress websites frequently become targets for cybercriminals due to their immense popularity and extensive plugin ecosystem. Here at Quttera, we offer specialized website protection services designed to address these sites' unique security challenges. The comprehensive security solution begins with robust malware detection and removal capabilities to identify and eliminate malicious code, backdoors, and hidden threats that might compromise your WordPress installation.

The protection extends through a Web Application Firewall that filters real-time traffic, effectively blocking malicious requests before they can reach your site. This proactive approach helps defend against common attack vectors like SQL injection and cross-site scripting. Our managed security plan also conducts regular vulnerability assessments to identify security weaknesses in WordPress core files, themes, and plugins, allowing site owners to address potential issues before they can be exploited.

Security for third-party components represents a critical aspect of our approach, as plugins and themes often serve as entry points for attackers. The service continuously monitors these elements for malicious code and recommends updates or replacements when necessary.

Our protection plans' Wordpress-focused approach enables site owners to maintain secure websites without requiring extensive security expertise. This ensures protection against evolving threats while preserving site performance and functionality.