A cluster of high-severity vulnerabilities in popular WordPress themes and plugins poses an immediate risk of complete website compromise. Attackers can exploit these flaws to upload web shells, execute SQL injection attacks, and perform object injection, granting them full control over affected sites. Organizations relying on these components must patch immediately to prevent data breaches and ransomware deployment.

Critical File Upload Flaws in ZozoThemes Products

Three separate themes from developer ZozoThemes—Nutrie, Keenarch, and Lendiz—contain severe file upload vulnerabilities. Each flaw, tracked as CVE-2025-68555, CVE-2025-68554, and CVE-2025-68553, allows unauthenticated attackers to upload malicious files, including PHP web shells, directly to the web server. This provides a direct path to remote code execution. All three themes require an update to version 2.0.1 or later to close this security hole.

SQL Injection and Object Injection Threats

Beyond file uploads, other WordPress extensions expose sites to data theft and further exploitation. The Riode Core plugin contains a Blind SQL Injection vulnerability (CVE-2025-69338) that could allow attackers to extract sensitive information from the database. Meanwhile, the ThemeREX Classter plugin is affected by a Deserialization of Untrusted Data flaw (CVE-2025-54001), enabling object injection attacks that can lead to arbitrary code execution. Both require immediate updates to patched versions.

AI-Powered Ransomware and Evasion Tactics

While patching web assets, defenders must also contend with an evolving endpoint threat. A new AI-built ransomware toolkit is automating Active Directory discovery and evading Endpoint Detection and Response (EDR) solutions. This represents a significant escalation in attacker capability, allowing less skilled threat actors to conduct sophisticated network intrusions that culminate in ransomware deployment. The automation of EDR evasion techniques makes detection more challenging for traditional security tools.

Broader Ecosystem and Response Priorities

The need for prompt patching extends beyond WordPress. The latest SANS Stormcast highlights ongoing exploitation of Palo Alto Networks PAN-OS (CVE-2024-3400) and the release of Oracle’s Critical Patch Update for June 2026. Furthermore, the widespread Microsoft Exchange Online outage underscores the critical dependency on cloud services and the need for operational resilience plans, such as hybrid mail flow configurations for critical domains.

Social Engineering Meets AI Support Systems

A separate but concerning trend involves the weaponization of AI support systems for account takeover. Attackers successfully manipulated Meta’s AI support assistant to hijack high-profile Instagram accounts, including those belonging to the Obama White House and U.S. Space Force officials. This incident demonstrates how AI-powered customer support tools can become a new attack vector for social engineering and credential reset attacks, bypassing traditional authentication safeguards.

Immediately audit all WordPress installations for the Riode Core plugin and the Nutrie, Keenarch, and Lendiz themes. Update Riode Core to a version above 1.6.26 and the ZozoThemes products to version 2.0.1 or later. Configure your web application firewall (WAF) with rules to block SQL injection patterns targeting ‘riode-core’ and to restrict file uploads of dangerous types like .php and .phtml to the affected theme directories.