70,000+ WordPress Sites Affected by Critical Plug-in Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


70,000+ WordPress Sites Affected by Critical Plug-in Flaw


A vulnerability in the wpDiscuz plug-in could let attackers remotely execute code on the servers of affected websites.



A critical security flaw in wpDiscuz, a WordPress plug-in, could enable cybercriminals to remotely execute malicious code on vulnerable website servers. The bug has a CVSS score of 10.0.
wpDiscuz is an Ajax real-time comment system that lets users keep their comments in their database. The plug-in, billed as an alternative to Disqus and Jetpack Comments, has more than 70,000 users. It comes with multiple layouts, interactive comment box, and other features.
In a recent version of the plug-in, wpDiscuz added an option for users to add image attachments in their comments. Its implementation lacked security protections and created a critical flaw that allowed attackers to upload arbitrary files, including PHP files, explains Chloe Chamberland of Wordfence, the security company where this vulnerability was discovered, in a blog post. 
Attackers could add image identifying features to files in order to pass the file content verification check. If successful, they could achieve remote code execution on a vulnerable websites server and traverse the hosting account to infect more websites hosted in the account where malicious code was uploaded.
This would effective give the attacker complete control over every site on your server, Chamberland writes. The vulnerability was discovered in June and reported to the wpDiscuz team, which issued a fix in version 7.0.5 on July 23. 
Read more details in the Wordfence disclosure
here
.  
 
 
Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
 and
to register
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
70,000+ WordPress Sites Affected by Critical Plug-in Flaw