Sale of a 0day/Nday exploit package for WordPress plugins

Sale of a 0day/Nday exploit package for WordPress plugins

For informational purposes only

A package of seven independent vulnerabilities in WordPress plugins with an installation base of 6 to 30+ thousand active installations each is on sale. According to the author, all exploits work on current versions.

WordPress underpins about 43% of all websites worldwide (according to W3Techs data), and plugins traditionally remain the main source of vulnerabilities. According to Patchstack, third-party plugins and themes account for the vast majority of CVEs for WP: in 2025, 11,334 new vulnerabilities were reported, of which 91% were in plugins, 9% in themes, and 6 in the WordPress core.

Positive Technologies in 2024 included vulnerabilities in WordPress plugins in their list of trends.

Type of vulnerability: a chain of Information Disclosure (oracle) and bypassing the subscription business logic Number of installations: 10,000+

The seller claims that a combination of two vulnerabilities allows bypassing the verification and obtaining a paid membership for free in the paid subscriptions plugin, presumably Paid Member Subscriptions.

Type of vulnerability: bypassing the reCAPTCHA v3 bot protection Number of installations: 10,000+

According to the description, the exploit completely bypasses the built-in bot protection without solving the CAPTCHA. It allows, for example, to conduct a mass brute-force attack on registrations and enumerate promo codes.

Type of vulnerability: Authentication Bypass via an unvalidated provider

According to the seller, the exploit completely bypasses the second factor.

Type of vulnerability: Unauthenticated Information Disclosure Number of installations: 20,000+

With a single unauthenticated GET request, the entire user table of the site is downloaded: email, phones, full name, logins (including administrators).

Type of vulnerability: Blind Server-Side Request Forgery

The exploit forces the server to send an HTTP request to an arbitrary URL, including internal and cloud-metadata endpoints (AWS IMDS, GCP metadata).

Type of vulnerability: Unauthenticated User Enumeration Number of installations: 6,000+

Without authorization, the composition of groups, sequential user IDs, logins, and the entire site database, including the administrator, are enumerated.

Type of vulnerability: inversion of access control logic

A single reverse call to the function completely disables the "logged-in only vs logged-out only" distinction in the plugin. It turns all protected endpoints into public ones.