In March of 2021, Seravo announced that its security monitoring noticed three 0-day vulnerabilities in popular WordPress plugins being exploited by attackers. The lack of fixes in zero-day vulnerabilities makes them harder to deal with. Seravo also stated that even recognizing them can be a feat, as on the surface the plugin seems to be working as usual.
Zero-day vulnerabilities discovered:
- WooCommerce HelpScout: Unauthenticated file upload and remote code execution
- Thrive Themes and plugins: Unauthenticated arbitrary file upload and option deletion
- The Plus Addons for Elementor Page Builder < 4.1.7: Authentication bypass
Seravo also stated that updating the plugins won’t protect WordPress sites from 0-days vulnerabilities. The system must be monitored and malicious traffic identified. According to the announcement, the proof-of-concept code will be made available once enough time has passed for users to update.