Arbitrary file upload bug leading to site takeoversThe vulnerability was reported to wpDiscuz’s developers by Wordfence’s Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23, after a failed attempt to fix the issue in version 7.0.4. According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10. While wpDiscuz was designed to only allow using image attachments, the file mime type detection functions included in unpatched versions of the plugin and used to verify file types fail to block users from uploading arbitrary files like PHP files. Once uploaded to a vulnerable site’s hosting server, attackers would get the file path location with the request’s response making it easy to trigger file execution on the server and achieving remote code execution (RCE). “If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,” Chamberland said. “This would effectively give the attacker complete control over every site on your server,” she added.
Over 45,000 still vulnerable to attacksWhile wpDiscuz 7.0.5, the version containing a fix for this maximum severity RCE vulnerability, was released on July 23, the plugin only had just over 25,000 downloads during the last week, including both updates and new installs. This translates into at least 45,000 WordPress sites with active wpDiscuz installations still potentially left exposed to takeover attacks if attackers hackers decide to start exploiting this bug as part of future campaigns.
wpDiscuz users are urged to update the plugin to the latest release as soon as possible to block potential attacks aiming to take over their hosting accounts since attackers regularly use known WordPress plugin flaws to takeover or wipe sites.For instance, last month, Wordfence reported a large scale attack targeting hundreds of thousands of WordPress websites over the course of 24 hours, trying to collect database credentials by stealing config files after exploiting known XSS vulnerabilities found in WordPress plugins and themes. “Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files,” Wordfence QA engineer and threat analyst Ram Gall said at the time.