A critical vulnerability has been identified in a WordPress plugin installed across more than 80,000 websites.
Discovered by researchers at security firm Wordfence, the bug is present in WordPress plugin wpDiscuz (versions 7.0.0 to 7.0.4), used by administrators to integrate a comments section into their websites.
The bug could reportedly allow hackers to remotely execute code on a vulnerable website’s servers, take control of the hosting account and inject malicious code into other sites managed by the same entity.
As such, it has been assigned a maximum severity score of 10/10 as per the Common Vulnerability Scoring System (CVSS).
WordPress plugin vulnerability
The WordPress plugin vulnerability first surfaced with wpDiscuz version 7.0.0, which introduced a facility that allows users to attach images to comments.
Although the feature was intended to allow for image uploads only, the file type verification process could be easily circumvented, allowing hackers to upload any file of their choosing and sow the seed for account takeover.
“This flaw [gives] unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server,” explained Wordfence in a blog post.
“If exploited, this vulnerability could allow an attacker to traverse your hosting account to further infect any sites hosted in the account with malicious code. This would effectively give the attacker complete control over every site on your server.”
Wordfence first informed wpDiscuz developers of the vulnerability on June 19. After a failed attempt to resolve the issue with version 7.0.4, a full patch was released on July 23 with version 7.0.5.
The update has been downloaded circa 25,000 times since it was published, but this means roughly 55,000 WordPress websites remain at risk. To shield against attack, users of the wpDiscuz plugin are advised to install the latest version immediately.