Technology 3 min read

Hackers are Currently Exploiting These WordPress Plugins

360b /

360b /

According to a recent report, hackers are actively exploiting zero-days in several WordPress plugins.

WordPress is the most popular content management system on the internet, boasting roughly 50-60 percent of the global CMS market.

A recent statistics suggest that over 35 percent of websites on the internet run on various versions of WordPress. The massive number of active installation comes with a significant downside, and that’s security.

Earlier in the year, researchers discovered critical vulnerabilities in WordPress plugins that could affect 400,000 websites. The affected plugins at the time include InfiniteWP Client, WP Time Capsule, and WP Database Reset.

Shortly after, security researchers at found a security flaw in Elementor Page Builder, a plugin with over 3 million installs. The companies involved have since released updates to address these security issues.

Now, recent reports suggest a new set of WordPress hacking campaigns has launched since February, and they appear to be targetting WP plugin flaws.

8 WordPress Plugins that Hackers are Actively Exploiting

Researchers have advised website administrators to update the following WordPress plugins immediately.


Duplicator is one of the most popular plugins on WordPress, with over one million installs. It lets site owners export the content of their sites.

Meanwhile, the vulnerability allows attackers to export a copy of the site. That way, they can extract database credentials and also hijack a WordPress site’s underlying MySQL server.

The bug was patched in version 1.3.28 of the plugin.

Profile Builder

The bug in the profile builder plugin can allow hackers to register an unauthorized account on WordPress sites.

Makers of the plugin patched the bug on February 10. However, attacks didn’t begin until February 24, on the same day that researchers published the proof-of-concept code.

ThemeREX Addons

Security researchers also spotted attacks targeting ThemeRex Addons. It’s a zero-day exploit that allows hackers to create a rogue admin account, and it began on February 18.

Unfortunately, no patch exists for the bug at the moment. So, researchers recommend that website owners remove the plugin as soon as possible.

ThemeGrill Demo Importer

ThemeGrill Demo Importer is a plugin that ships with themes from ThemeGrill — a commercial WP theme vendor.

Right now, over 200,000 sites are using this plugin, and the bug allows attackers to wipe websites that are running the vulnerable version. Under specific conditions, the hacker could even take over the admin account.

With that said, ThemeGrill patched the bug in version 1.6.3 of the plugin.

Flexible Checkout Fields for WooCommerce

Hackers used a zero-day vulnerability to inject XSS payloads that can be triggered in a logged-in administrator’s dashboard. With the XSS payloads in, hackers can create admin accounts on the vulnerable site.

Attacks began back on February 26. However, the plugin developers have since issued a patch.

Other WordPress Plugins

Other plugins with similar zero-day exploit include Async JavaScript, 10Web Map Builder for Google Maps, as well as Modern Events Calendar Lite.

Meanwhile, patches are available for each of them.

Read More: WordPress Announces Lazy-Loading Images in WP Core

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Sumbo Bello know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Sumbo Bello

Sumbo Bello is a creative writer who enjoys creating data-driven content for news sites. In his spare time, he plays basketball and listens to Coldplay.

Comments (0)
Most Recent most recent
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.