Critical WordPress plugin bug lets hackers take over hosting account

Hackers can exploit a maximum severity vulnerability in the wpDiscuz plugin installed on over 70,000 WordPress sites to execute code remotely after uploading arbitrary files on servers hosting vulnerable sites.

wpDiscuz is a WordPress plugin marketed as an alternative to Disqus and Jetpack Comments that provides an Ajax real-time comment system that will store comments within a local database.

The plugin comes with support for multiple comment layouts, inline commenting and feedback, as well as a post rating system and multi-level (nested) comment threads.

Arbitrary file upload bug leading to site takeovers

The vulnerability was reported to wpDiscuz’s developers by Wordfence’s Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23, after a failed attempt to fix the issue in version 7.0.4.

According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.

While wpDiscuz was designed to only allow using image attachments, the file mime type detection functions included in unpatched versions of the plugin and used to verify file types fail to block users from uploading arbitrary files like PHP files.

Function used to verify allowed file types
Function used to verify allowed file types (Wordfence)

Once uploaded to a vulnerable site’s hosting server, attackers would get the file path location with the request’s response making it easy to trigger file execution on the server and achieving remote code execution (RCE).

“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,” Chamberland said.

“This would effectively give the attacker complete control over every site on your server,” she added.

Over 45,000 still vulnerable to attacks

While wpDiscuz 7.0.5, the version containing a fix for this maximum severity RCE vulnerability, was released on July 23, the plugin only had just over 25,000 downloads during the last week, including both updates and new installs.

This translates into at least 45,000 WordPress sites with active wpDiscuz installations still potentially left exposed to takeover attacks if attackers hackers decide to start exploiting this bug as part of future campaigns.

wpDiscuz users are urged to update the plugin to the latest release as soon as possible to block potential attacks aiming to take over their hosting accounts since attackers regularly use known WordPress plugin flaws to takeover or wipe sites.

wpDiscuz download history
wpDiscuz download history

For instance, last month, Wordfence reported a large scale attack targeting hundreds of thousands of WordPress websites over the course of 24 hours, trying to collect database credentials by stealing config files after exploiting known XSS vulnerabilities found in WordPress plugins and themes.

“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files,” Wordfence QA engineer and threat analyst Ram Gall said at the time.