Over 250 WordPress Attacks: BI.ZONE Discovers New Wave of Cyber ​​Threats

Since February 2025, BI.ZONE WAF specialists have noted an increase in attacks on sites running on WordPress, an open-source content management system (CMS).

Following the publication of Sucuri's research detailing the exploitation technique, there was a sharp increase in attacker activity: more than 250 attack attempts on 13 organizations in a few days. The vulnerability was discovered in the must-use plugins module - a special type of WordPress plugins that are automatically launched on every page load, do not require activation in the admin panel, and are stored in the wp-content/mu-plugins/ directory as PHP files. Attackers use these plugins to redirect users to phishing or malicious sites, inject web shells that act as backdoors, and load malicious JavaScript code.

Although the vulnerability has not yet received a CVSS rating, BI.ZONE WAF experts classify it as critical, since it allows attackers to gain long-term access to web resources. The problem is aggravated by the fact that the vulnerability is not included in the CVE database, and many protection systems only block the consequences of attacks. As protection measures, BI.ZONE experts recommend monitoring changes in the operation of web applications, checking the contents of the mu-plugins directory for suspicious files, and using WAF solutions with up-to-date detection rules.

BI.ZONE WAF already includes signatures to block this exploitation technique and provides multi-layered protection for web applications and APIs, preventing attacks on known vulnerabilities and countering botnet activity. Organizations using WordPress should increase monitoring and implement preventive security measures to minimize the risk of cyberattacks.