A critical vulnerability in a third-party plugin installed on more than 70,000 WordPress websites could allow cybercriminals to remotely execute malicious code.
The vulnerability, discovered by security researchers at Wordfence, lurks in a vulnerable version of the wpDiscuz comments plugin and allows hackers to upload arbitrary files to targeted websites, including executable PHP files.
wpDiscuz offers an alternative (and some argue more elegant) way for people to leave comments on blog posts compared to JetPack, Disqus, and WordPress's built-in comment system, and has earned praise from some for its real-time comment handling via Ajax, its comment rating system, and its support for storing comments on the site's local servers rather than on a third-party service.
However, Wordfence researchers told wpDiscuz developers in June that they had found a flaw that, due to a lack of security precautions, allowed unauthenticated users to upload any type of file (including PHP files) alongside a comment.
The issue was found in wpDiscuz version 7, which added a feature allowing users to upload images with their comments. However, Wordfence discovered that uploaded files could not be properly identified as actual images or not, which allowed potentially malicious code to be uploaded.
(adsbygoogle = window.adsbygoogle || []).push({});
According to Wordfence, a successful attack could leave an attacker in control of every website on the server:
"If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted on the account with malicious code"wpDiscuz developers initially told Wordfence that the flaw would be fixed in plugin version 7.0.4, which was eventually released on July 20, 2020.
Unfortunately, Wordfence found that update did not sufficiently close the security hole, and a new (properly functioning) version of wpDiscuz was released on July 23, 2020.
Wordfence recommends that all self-hosted WordPress site administrators running the wpDiscuz plugin update to the latest version as a priority.
As Bleeping Computer reports, since the fixed version of wpDiscuz was released, it has been downloaded just over 25,000 times, meaning around 45,000 websites may still be vulnerable.
Hosting your own WordPress site has its benefits, but one of the biggest drawbacks is that the responsibility falls on you to ensure it stays up to date with the latest patches and updates. New vulnerabilities are frequently found in the software and its thousands of third-party plugins, so it is not something you can afford to ignore.
My advice? Enable automatic updates wherever possible.
Left unattended, a website running a self-hosted edition of WordPress can be all too easy for a hacker to exploit. And it will be your company's reputation and your website visitors who stand to suffer serious harm.
Source: Bitdefender, BleepingComputer
Leave a Comment
Comments are reviewed before publishing.