Patch this WordPress plugin now, thousands of users warned

Maximum severity WordPress plugin bug places tens of thousands of websites at risk

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A critical vulnerability has been identified in aWordPress plugininstalled across more than 80,000 websites.

Discovered by researchers at security firm Wordfence, the bug is present in WordPress plugin wpDiscuz (versions 7.0.0 to 7.0.4), used by administrators to integrate a comments section into their websites.

The bug could reportedly allow hackers to remotely execute code on a vulnerable website’s servers, take control of the hosting account and inject malicious code into other sites managed by the same entity.

As such, it has been assigned a maximum severity score of 10/10 as per the Common Vulnerability Scoring System (CVSS).

WordPress plugin vulnerability

The WordPress plugin vulnerability first surfaced with wpDiscuz version 7.0.0, which introduced a facility that allows users to attach images to comments.

Although the feature was intended to allow for image uploads only, the file type verification process could be easily circumvented, allowing hackers to upload any file of their choosing and sow the seed for account takeover.

“This flaw [gives] unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server,” explained Wordfence in ablog post.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“If exploited, this vulnerability could allow an attacker to traverse your hosting account to further infect any sites hosted in the account with malicious code. This would effectively give the attacker complete control over every site on your server.”

Wordfence first informed wpDiscuz developers of the vulnerability on June 19. After a failed attempt to resolve the issue with version 7.0.4, a full patch was released on July 23 with version 7.0.5.

The update has been downloaded circa 25,000 times since it was published, but this means roughly 55,000 WordPress websites remain at risk. To shield against attack, users of the wpDiscuz plugin are advised to install the latest version immediately.

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)