Trending

ee-track">
Link copied!

Cyble Sensors Detect Exploit Attempts on WordPress Plugins, Network Devices

Cyble honeypot sensors have also detected attack attempts on vulnerabilities known to be targeted by APT groups.

March 11, 2025 · 4 min read
Cyble Sensors Detect Exploit Attempts on WordPress Plugins, Network Devices

Cyble honeypot sensors have also detected attack attempts on vulnerabilities known to be targeted by APT groups.

Overview

Cyble honeypot sensors have detected dozens of vulnerabilities targeted in attack attempts in recent weeks, including some known to be targeted by advanced persistent threat (APT) groups.

WordPress plugins, network devices and firewalls have been some of the targets detailed in the threat intelligence company’s weekly sensor intelligence reports to clients.

The Cyble reports have also examined persistent attacks against Linux systems and network and IoT devices as threat actors continue to scan for vulnerable devices for ransomware attacks and to add to DDoS and crypto mining botnets. The reports have also examined banking malware, brute-force attacks, vulnerable ports, and phishing campaigns.

Here are some of the recent attack campaigns covered in the Cyble sensor reports. Users could be vulnerable to attack if affected product versions aren’t patched and mitigated.

WordPress Plugin Attack Attempts

Cyble honeypots have picked up attack attempts on four WordPress plugins in recent weeks.

report-ad-banner

CVE-2024-9593 is an 8.3-severity Remote Code Execution (RCE) vulnerability in the Time Clock and Time Clock Pro plugins for WordPress in versions up to and including 1.2.2 and 1.1.4, respectively. The vulnerability stems from the etimeclockwp_load_function_callback function, which could allow unauthenticated attackers to execute arbitrary code on the server.

CVE-2024-33575 affects the User Meta user management plugin in versions up to 3.0, and could allow unauthorized actors to access sensitive information. The issue arises due to improper access controls, potentially exposing user data.

CVE-2024-2876 is a 9.8-severity SQL Injection vulnerability in The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress, affecting all versions up to and including 5.7.14. The vulnerability exists in the run function of the IG_ES_Subscribers_Query class due to improper escaping of user-supplied input and inadequate preparation of SQL queries. This flaw allows unauthenticated attackers to inject additional SQL queries, potentially extracting sensitive information from the database.

The Hunk Companion WordPress plugin before version 1.9.0 lacks proper authorization for certain REST API endpoints, a vulnerability tracked as CVE-2024-11972. The flaw could allow unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repository, including vulnerable versions of the Hunk Companion plugin that have been closed. The vulnerability could be exploited to deploy malicious or outdated plugins on a targeted site.

Network Device and Firewall Vulnerabilities

Cyble sensors have also picked up attack attempts on numerous network devices in recent weeks.

CVE-2024-11303 is an 8.7-rated Path Traversal vulnerability in Korenix JetPort 5601 serial device servers that could allow unauthorized access to restricted directories by manipulating the pathname. This issue impacts JetPort 5601 versions up to and including 1.2.

CVE-2024-7593 is a 9.8-severity Incorrect Implementation of an Authentication Algorithm vulnerability in Ivanti Virtual Traffic Manager (vTM) that could enable a remote, unauthenticated attacker to bypass admin panel authentication.

CVE-2024-24919 is an 8.6-severity Information Disclosure vulnerability in Check Point Quantum Security Gateways that could potentially allow an attacker to read certain information on the gateways if they are connected to the Internet and enabled with remote Access VPN or Mobile Access Software Blades.

CVE-2024-3400 is a 10.0-severity arbitrary file creation/command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations that could enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by the vulnerability.

Cyble sensors have detected repeated attack attempts on the CVE-2024-3400 vulnerability in recent weeks, and Microsoft reported recently that Silk Typhoon is attempting to weaponize this vulnerability in IT supply chain attacks. Iranian threat actors have also attempted to exploit both the Palo Alto and Check Point vulnerabilities.

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list).
  • Immediately patching all open vulnerabilities listed here and routinely monitoring the top Suricata alerts in internal networks.
  • Continually checking for attackers’ ASNs and IPs (included in the full Cyble reports).
  • Blocking Brute Force attack IPs and the targeted ports listed in the reports.
  • Immediately resetting default usernames and passwords to mitigate brute-force attacks and enforcing periodic changes.
  • For servers, setting up strong passwords that are difficult to guess.

Conclusion

Organizations must remain vigilant in the face of constant threats against both new and older vulnerabilities, patching quickly and applying mitigations where patching isn’t possible.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches.

To access full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here.

AI Threat Intelligence

Stop Executive Threats
Before They Strike

Monitor dark web chatter, detect lookalike domains, and protect your C-suite from targeted impersonation — in real time, across 50+ countries.

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams