TechTronBlog.com

Technology, Innovation, Collaboration
Menu
  • Features
  • Gadget
  • Mobile
  • Uncategorized

Daily Tech Updates Sent to your Email

Join our Newsletter
Home
Gadget
Thousands of websites at risk from critical WordPress commenting plugin vulnerability
Gadget

Thousands of websites at risk from critical WordPress commenting plugin vulnerability

zadmin August 17, 2020




A critical vulnerability in a third-party plugin installed on over 70,000 websites running WordPress could allow hackers to execute malicious code remotely.

The vulnerability, discovered by security researchers at Wordfence, hides in a vulnerable version of the wpDiscuz commenting plugin and enables hackers to upload arbitrary files to targeted websites, including executable PHP files.

wpDiscuz offers an alternative (and some would argue more stylish) way for people to leave feedback on blog posts than JetPack Comments, Disqus, and WordPress’s own built-in commenting system, and has received praise from some for its handling of comments in real-time through Ajax, comment rating system, and its support for storing comments on the site’s local servers rather than on a third-party service.

However, Wordfence’s researchers told wpDiscuz’s developers in June that it had found a flaw, which – due to a lack of security precautions – allowed unauthenticated users to upload to a comment any type of file (including PHP files).

The problem was found in version 7 of wpDiscuz which added a feature allowing users to upload images alongside their comments. However, Wordfence discovered that there was a failure to properly identify if uploaded files were really images or not, allowing the upload of potentially malicious code.

According to Wordfence, a successful attack could leave an attacker with control of every website on the server:

“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.”

wpDiscuz’s developers initially told Wordfence that the flaw would be fixed in version 7.0.4 of the plugin, which was eventually released on July 20 2020.

Unfortunately, Wordfence found that that update did not sufficiently patch the security hole, and a new (properly working) version of wpDiscuz was released on July 23 2020.

Wordfence recommends that all administrators of self-hosted WordPress-powered websites that are running the wpDiscuz plugin update to the latest version as a matter of priority.

As Bleeping Computer reports, since the fixed version of wpDiscuz was released it has been downloaded just over 25,000 times – meaning some 45,000 websites may still be vulnerable.

Self-hosting your WordPress site has its benefits, but one of the biggest downsides is that the onus is much more on you to ensure it is kept updated with the latest patches and updates. New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible.

Left unattended, a website running a self-hosted edition of WordPress can be all too easy for a hacker to exploit. And it will be your brand, and the visitors to your website, who will be running the risk of serious harm.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

https://www.engadget.com/epic-games-freefortnite-cup-075619000.html

Epic Games’ #FreeFortnite Cup has 1,200 non-Apple prizes

https://www.engadget.com/news-sites-join-epic-in-fight-against-apples-high-i-os-store-fees-091530276.html

Major news organizations join the fight against Apple’s App Store fees

About The Author

zadmin

Leave a Reply

Cancel reply

Recent Posts

  • New tech and gadgets you absolutely can’t miss
  • Razer Pro Click ergonomic wireless mouse maximizes your productivity
  • Lume Cube Panel Mini Bicolor LED Light provides on-the-go lighting for photographers
  • LINKA LEO GPS Smart Bike Lock can track your bicycle’s movements in more than 100 countries
  • Razer Pro Glide soft mouse mat cushions your hand during use

Recent Comments

    Archives

    • August 2020

    Categories

    • Features
    • Gadget
    • Mobile
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    TechTronBlog.com

    Technology, Innovation, Collaboration
    Copyright © 2021 TechTronBlog.com
    Theme by MyThemeShop.com

    Ad Blocker Detected

    Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

    Refresh