2 min read

Thousands of websites at risk from critical WordPress plugin vulnerability

Graham CLULEY

July 29, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Thousands of websites at risk from critical WordPress plugin vulnerability

A critical vulnerability in a third-party plugin installed on over 70,000 websites running WordPress could allow hackers to execute malicious code remotely.

The vulnerability, discovered by security researchers at Wordfence, hides in a vulnerable version of the wpDiscuz commenting plugin and enables hackers to upload arbitrary files to targeted websites, including executable PHP files.

wpDiscuz offers an alternative (and some would argue more stylish) way for people to leave feedback on blog posts than JetPack Comments, Disqus, and WordPress’s own built-in commenting system, and has received praise from some for its handling of comments in real-time through Ajax, comment rating system, and its support for storing comments on the site’s local servers rather than on a third-party service.

However, Wordfence’s researchers told wpDiscuz’s developers in June that it had found a flaw, which – due to a lack of security precautions – allowed unauthenticated users to upload to a comment any type of file (including PHP files).

The problem was found in version 7 of wpDiscuz which added a feature allowing users to upload images alongside their comments. However, Wordfence discovered that there was a failure to properly identify if uploaded files were really images or not, allowing the upload of potentially malicious code.

According to Wordfence, a successful attack could leave an attacker with control of every website on the server:

“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.”

wpDiscuz’s developers initially told Wordfence that the flaw would be fixed in version 7.0.4 of the plugin, which was eventually released on July 20 2020.

Unfortunately, Wordfence found that that update did not sufficiently patch the security hole, and a new (properly working) version of wpDiscuz was released on July 23 2020.

Wordfence recommends that all administrators of self-hosted WordPress-powered websites that are running the wpDiscuz plugin update to the latest version as a matter of priority.

As Bleeping Computer reports, since the fixed version of wpDiscuz was released it has been downloaded just over 25,000 times – meaning some 45,000 websites may still be vulnerable.

Self-hosting your WordPress site has its benefits, but one of the biggest downsides is that the onus is much more on you to ensure it is kept updated with the latest patches and updates. New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible.

Left unattended, a website running a self-hosted edition of WordPress can be all too easy for a hacker to exploit. And it will be your brand, and the visitors to your website, who will be running the risk of serious harm.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns of Phishing Attack Targeting People Looking for Unemployment Benefits FBI Warns of Phishing Attack Targeting People Looking for Unemployment Benefits
Silviu STAHIE

October 20, 2021

1 min read
Hacker Says He Stole ID Data of 45 Million Argentinians Hacker Says He Stole ID Data of 45 Million Argentinians
Silviu STAHIE

October 20, 2021

1 min read
Meet Scam Alert, the New Bitdefender Mobile Security & Antivirus Technology Battling Malicious Links Meet Scam Alert, the New Bitdefender Mobile Security & Antivirus Technology Battling Malicious Links
Silviu STAHIE

October 20, 2021

2 min read