Regularly updating websites and stores is one of those tasks that many postpone until later - until it's too late. However, updates are precisely what close security gaps that attackers use to gain access to sensitive data, administrative accounts, or server files. In recent weeks, it has once again been shown how quickly a relatively innocent vulnerability can turn into a massive campaign affecting thousands of websites worldwide. This time, Magento (Adobe Commerce) and WordPress – two of the most commonly used platforms for websites and stores – are primarily under attack.
Magento / Adobe Commerce – critical vulnerability SessionReaper (CVE-2025-54236)
A critical security hole, named SessionReaper (CVE-2025-54236), has been disclosed for the Adobe Commerce and Magento Open Source platforms. The vulnerability allows an attacker to take over user sessions – meaning they can access the account of a logged-in user or even an administrator without needing a password. Worse still, in certain cases, it also allows remote code execution (RCE), which effectively opens the door for the attacker to the entire server.
Attacks are already active and confirmed in practice. According to the security group Sansec, malicious actors have already attempted to exploit this vulnerability thousands of times. It is a typical chain attack: first, they acquire the session, then install a hidden PHP script (a so-called webshell), which they use to execute arbitrary commands on the server. This means they can steal data, change prices, redirect payments, or even take over the entire store.
Adobe has already released an official security update under the label APSB25-94, which addresses this vulnerability. If the store has not yet been updated, it is exposed to high risk. Store owners are therefore strongly advised to immediately check which version of Magento is running on their server and upgrade if necessary. It is also important to check the system folders (var, pub, tmp) for suspicious files after the update and verify whether anyone has unauthorizedly connected with administrative rights.
WordPress – millions of attacks in a few days
On the other hand, WordPress, which remains the most widespread platform for websites, is once again at the center of massive attacks. According to a report by the portal RS Web Solutions, published on October 28, 2025, more than 8.7 million intrusion attempts on WordPress sites worldwide were recorded in just 48 hours. The targets of the attacks were primarily sites with vulnerable plugins GutenKit, Hunk Companion, and a few others that allow malicious code execution without logging in.
These plugins have confirmed vulnerabilities with the labels CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, with a severity rating of 9.8/10 according to the CVSS system. This means it is the highest level of danger. Attackers in these campaigns often install a fake plugin named “up”, which allows them permanent access to the website, file management, settings changes, or adding new administrative accounts. Some attacks have been linked by researchers to the group UNC5142, which uses the so-called EtherHiding method – hiding malicious code in data flowing through the blockchain. (Mashable reports on these attacks here)
In practice, this means that a WordPress site that has not been updated for a few months can become part of a botnet or a platform for spreading further attacks, often without the owner's knowledge. Additionally, due to changes in files, SEO ranking often collapses, as Google quickly recognizes infected sites and removes them from search results.
Regularly updating the core, plugins, and themes, monitoring security notices, and removing unused components are the best defense.
Security is not a one-time task
Attacks like SessionReaper in Magento and the recent wave of attacks on WordPress clearly show that web security is a dynamic process. No system is completely secure – it all depends on how quickly we react to new discoveries and whether protective mechanisms (updates, WAF, security checks) are constantly active. Even smaller web projects can be interesting to attackers, as they often use them as an “entry point” for attacking larger targets.
