A critical vulnerability in a third-party plugin installed on over 70,000 websites running WordPress could allow hackers to execute malicious code remotely.
The vulnerability, discovered by security researchers at Wordfence, hides in a vulnerable version of the wpDiscuz commenting plugin and enables hackers to upload arbitrary files to targeted websites, including executable PHP files.
wpDiscuz offers an alternative (and some would argue more stylish) way for people to leave feedback on blog posts than JetPack Comments, Disqus, and WordPress’s own built-in commenting system, and has received praise from some for its handling of comments in real-time through Ajax, comment rating system, and its support for storing comments on the site’s local servers rather than on a third-party service.
However, Wordfence’s researchers told wpDiscuz’s developers in June that it had found a flaw, which – due to a lack of security precautions – allowed unauthenticated users to upload to a comment any type of file (including PHP files).
The problem was found in version 7 of wpDiscuz which added a feature allowing users to upload images alongside their comments. However, Wordfence discovered that there was a failure to properly identify if uploaded files were really images or not, allowing the upload of potentially malicious code.
According to Wordfence, a successful attack could leave an attacker with control of every website on the server:
“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.”
wpDiscuz’s developers initially told Wordfence that the flaw would be fixed in version 7.0.4 of the plugin, which was eventually released on July 20 2020.
Unfortunately, Wordfence found that that update did not sufficiently patch the security hole, and a new (properly working) version of wpDiscuz was released on July 23 2020.
Wordfence recommends that all administrators of self-hosted WordPress-powered websites that are running the wpDiscuz plugin update to the latest version as a matter of priority.
As Bleeping Computer reports, since the fixed version of wpDiscuz was released it has been downloaded just over 25,000 times – meaning some 45,000 websites may still be vulnerable.
Self-hosting your WordPress site has its benefits, but one of the biggest downsides is that the onus is much more on you to ensure it is kept updated with the latest patches and updates. New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.
My advice? Enable automatic updates wherever possible.
Left unattended, a website running a self-hosted edition of WordPress can be all too easy for a hacker to exploit. And it will be your brand, and the visitors to your website, who will be running the risk of serious harm.