A patch has been issued for a WordPress plugin that had a severe vulnerability. The plugin, wpDiscuz, was investigated by WordPress security experts at Wordfence. What they found, as described in a research blog post, was a critical arbitrary file upload vulnerability. As Wordfence researchers discovered, the vulnerability was introduced in a recent update, more specifically, the patch before the fixed wpDiscuz plugin version (7.0.5). This is far from the first time a critical WordPress vulnerability has been uncovered. wpDiscuz is used to allow an interactive comments section on websites created and maintained with WordPress.
The critical arbitrary file upload vulnerability rates as a 10 (the highest score possible) on the Common Vulnerability Scoring System (CVSS) as it allows remote code execution. A more in-depth description of the wpDiscuz vulnerability, and an example of an actual attack, can be found in the below excerpt from the Wordfence post:
This made it possible for attackers to create any file type and add image identifying features to files to pass the file content verification check. A PHP file attempting to bypass this verification could look something like this in a request:
------WebKitFormBoundaryXPeRFAXCS9qPc2sB Content-Disposition: form-data; name="wmu_files"; filename="myphpfile.php" Content-Type: application/php ‰PNG
The file path location was returned as part of the request’s response, allowing a user to easily find the file’s location and access the file it was uploaded to the server. This meant that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.
The patch applies, as was previously noted, to the 7.0.5 version of wpDiscuz. Wordfence disclosed the issue to the plugin developer toward the end of June. After a couple of attempts, the issue was fixed in the most current patch. In a comment to various cybersecurity media, wpDiscuz developers stated that you are safe if you use either version 7.0.5 or the most current version of the plugin (7.0.6). Conversely, researchers confirmed that versions 7.0.0 to 7.0.4 are all vulnerable to this flaw.
If you have not patched wpDiscuz already, do so immediately. Now that cybercriminals have in-depth knowledge of the flaw, they will exploit it on unpatched versions of the wpDiscuz plugin.
Featured image: Shutterstock