Hackers can exploit a maximum severity vulnerability in the wpDiscuz plugin installed on over 70,000 WordPress sites to execute code remotely after uploading arbitrary files on servers hosting vulnerable sites.
wpDiscuz is a WordPress plugin marketed as an alternative to Disqus and Jetpack Comments that provides an Ajax real-time comment system that will store comments within a local database.
The plugin comes with support for multiple comment layouts, inline commenting and feedback, as well as a post rating system and multi-level (nested) comment threads.
Arbitrary file upload bug leading to site takeovers
The vulnerability was reported to wpDiscuz’s developers by Wordfence’s Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23, after a failed attempt to fix the issue in version 7.0.4.
According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.
While wpDiscuz was designed to only allow using image attachments, the file mime type detection functions included in unpatched versions of the plugin and used to verify file types fail to block users from uploading arbitrary files like PHP files.
Once uploaded to a vulnerable site’s hosting server, attackers would get the file path location with the request’s response making it easy to trigger file execution on the server and achieving remote code execution (RCE).
“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,” Chamberland said.
“This would effectively give the attacker complete control over every site on your server,” she added.
Over 45,000 still vulnerable to attacks
While wpDiscuz 7.0.5, the version containing a fix for this maximum severity RCE vulnerability, was released on July 23, the plugin only had just over 25,000 downloads during the last week, including both updates and new installs.
This translates into at least 45,000 WordPress sites with active wpDiscuz installations still potentially left exposed to takeover attacks if attackers hackers decide to start exploiting this bug as part of future campaigns.
wpDiscuz users are urged to update the plugin to the latest release as soon as possible to block potential attacks aiming to take over their hosting accounts since attackers regularly use known WordPress plugin flaws to takeover or wipe sites.
For instance, last month, Wordfence reported a large scale attack targeting hundreds of thousands of WordPress websites over the course of 24 hours, trying to collect database credentials by stealing config files after exploiting known XSS vulnerabilities found in WordPress plugins and themes.
“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files,” Wordfence QA engineer and threat analyst Ram Gall said at the time.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.