70,000+ WordPress Sites Affected by Critical Plug-in Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security

70,000+ WordPress Sites Affected by Critical Plug-in Flaw


A vulnerability in the wpDiscuz plug-in could let attackers remotely execute code on the servers of affected websites.


A critical security flaw in wpDiscuz, a WordPress plug-in, could enable cybercriminals to remotely execute malicious code on vulnerable website servers. The bug has a CVSS score of 10.0.
wpDiscuz is an Ajax real-time comment system that lets users keep their comments in their database. The plug-in, billed as an alternative to Disqus and Jetpack Comments, has more than 70,000 users. It comes with multiple layouts, interactive comment box, and other features.
In a recent version of the plug-in, wpDiscuz added an option for users to add image attachments in their comments. Its implementation lacked security protections and created a critical flaw that allowed attackers to upload arbitrary files, including PHP files, explains Chloe Chamberland of Wordfence, the security company where this vulnerability was discovered, in a blog post. 
Attackers could add image identifying features to files in order to pass the file content verification check. If successful, they could achieve remote code execution on a vulnerable websites server and traverse the hosting account to infect more websites hosted in the account where malicious code was uploaded.
This would effective give the attacker complete control over every site on your server, Chamberland writes. The vulnerability was discovered in June and reported to the wpDiscuz team, which issued a fix in version 7.0.5 on July 23. 
Read more details in the Wordfence disclosure
here
.  
 
 
Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
 and
to register
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
70,000+ WordPress Sites Affected by Critical Plug-in Flaw