Critical bug in wpDiscuz add-on has now been patched
UPDATED A critical vulnerability in a WordPress plugin with more than 80,000 active installations allowed unauthenticated attackers to take full control of a target website.
The security flaw, present in wpDiscuz comment plugin, enabled attackers to upload arbitrary files in order to achieve remote code execution (RCE) on a vulnerable site’s backend server.
The wpDiscuz plugin is used to create responsive comment areas on WordPress sites, researchers from Wordfence, who discovered the bug, explained in a blog post.
In the latest version of the web extension, users were able to add images to comments – however, this feature was not shipped with the proper security protections.
RELATED WordPress security: Critical flaw fixed in bbPress forum plugin
Due to the file MIME type detection functions that were used, the file type verification process could be bypassed. This allowed a malicious actor to upload any file type, including PHP files.
“Any file type could easily be spoofed to look like an allowed file type and pass this check,” the Wordfence researchers said.
The file path location was returned as part of the request’s response, meaning that the malicious actor could locate the file once it was uploaded to the server.
Therefore, if the attacker uploaded a booby-trapped PHP file, they could access it in the server, triggering remote code execution and handing them full control over every site on the server.
Chloe Chamberland, who discovered the bug, told The Daily Swig: “The vulnerability was discovered while I was doing checks in several WordPress plugin’s import and upload functionalities.
“Once I found some code that looked like it could be problematic, I installed the plugin and took a black box approach to discovering the plugin and it’s normal functionality.
“That’s when I discovered the “image” upload functionality and investigated it further only to discover it would accept PHP files masked slightly to look like an image file.”
Vulnerable installations
The vulnerability has been fixed in version 7.0.5. Download data suggests, however, that at least 50% of installations are still vulnerable.
Users are urged to update to the latest version, which you can find here.
Chamberland added: “There are serious implications for vulnerable users. This vulnerability requires no authentication so anyone can exploit it.
“Along with that, the vulnerability can be exploited to achieve remote code execution so site users can easily go from having no permission to a full backstage pass into the site’s hosting account. It’s very important that users update their sites ASAP.”
This article has been updated to include comment from Wordfence
READ MORE WordPress 5.4 lands with enhanced privacy controls
