CyberSecurity news
FlagThis
Daryna Olyniychuk@SOC Prime Blog
//
Attackers are actively exploiting vulnerabilities in popular content management systems (CMS) like WordPress and Craft CMS to gain unauthorized access to web servers. These attacks highlight the critical need for website administrators to stay vigilant and promptly apply security patches. A significant phishing campaign has been identified targeting WordPress WooCommerce users, where victims are tricked into downloading a fake security patch that actually installs a backdoor on their sites, allowing attackers persistent access.
Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk.
An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations.
ImgSrc: socprime.com
References :
Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk.
An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations.
ImgSrc: socprime.com
Share:
References :
- securityaffairs.com: A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them to download a ‘critical patch’ hiding a backdoor.
Classification:
- HashTags: #WordPress #CraftCMS #WebSecurity
- Company: WordPress
- Target: Web Servers, WooCommerce Users
- Attacker: Patchstack, Orange Cyberdefense’s CSIRT
- Product: WordPress WooCommerce, Craft CMS
- Feature: Malicious Plugin
- Malware: Backdoor
- Type: Hack
- Severity: Major