WordPress plugin vulnerability exposes Thousands of websites at risk – The critical vulnerability in a third-party plugin installed on more than 70,000 websites using WordPress can allow hackers to remotely execute malicious code.The vulnerability, discovered by Wordfence security researchers, is hidden in a weak version of the wpDiscuz comments plugin and allows hackers to upload random files to target websites, including executable PHP files.
WpDiscuz offers an alternative method (and some argue in a more elegant style) for people to leave comments on JetPack, Disqus, and WordPress built-in comment system blog posts, and has been praised by some for their time management comments through Ajax and the comment rating system and its support for storing comments on local location servers instead of third party service.
However, Wordfence researchers told wpDiscuz developers in June that they had encountered a bug, due to a lack of security precautions, allowing unauthenticated users to upload any type of file to comment (including PHP files). ).
According to Wordfence, a successful attack can let an attacker control every website on the server:
“If exploited, this vulnerability could allow an attacker to execute commands on your server and bypass your hosting account to infect any site hosted on the account with malicious code.”
The developers of WpDiscuz initially told Wordfence that the bug would be fixed in version 7.0.4 of the plugin, which was finally released on July 20, 2020.
Unfortunately, WordPress found that this update did not fix the vulnerability enough, and wpDiscuz released a new version (which works correctly) on July 23, 2020.
Wordfence recommends that all WordPress self-hosted website administrators running the wpDiscuz plugin update to the latest version take priority.
WordPress self-hosting has its benefits, but one of its biggest drawbacks is that the burden falls heavily on you to ensure you stay up-to-date with the latest patches and updates. New software vulnerabilities and thousands of third-party plugins are often found, so you can’t ignore them.
If left unattended, the website running a self-hosted version of WordPress can be so easy that no hacker can take advantage of it. It will be your trademark and visitors to your website who are at risk of serious harm.