Researchers are warning of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
Comments – wpDiscuz enables WordPress websites to add custom comment forms and fields to sites, and serves as an alternative to services like Disqus. Researchers with Wordfence, who discovered the flaw, have notified the plugin’s developer, gVectors, which issued a patch on July 23.
With a CVSS score of 10 out of 10, the glitch is considered critical in severity, and researchers are urging website administrators to ensure that they update.
“This vulnerability was introduced in the plugin’s latest major version update,” said Wordfence researchers in a Tuesday post. “This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you are running any version from 7.0.0 to 7.0.4 of this plugin, we highly recommend updating to the patched version, 7.0.5, immediately.”
Threatpost has reached out to gVectors for further comment.
The Flaw
In the latest overhaul of the plugin (versions 7.x.x), its developers added a feature that gives users the ability to include image attachments in comments that are uploaded to a website.
However, the implementation of this feature lacked security protections vetting file attachments in the comments to make sure they actually are image files, versus another type of file.
This lack of verification could allow an unauthenticated user to upload any type of file, including PHP files. To pass the file content-verification check, an attacker would simply need to add an image to make any file look like the allowed file type.
After uploading a file, the file-path location is returned as part of the request’s response, allowing the attacker to easily find the file’s location and access it. This means that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution, said researchers.
“If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code,” said researchers. “This would effectively give the attacker complete control over every site on your server.”
WordPress Plugin Bugs
WordPress plugins continue to be plagued by vulnerabilities, which have dire consequences for websites. Earlier in July, it was discovered that the Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.
In May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that’s used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.
Meanwhile in April, it was revealed that legions of website visitors could be infected with drive-by malware, among other issues, thanks to a CSRF bug in Real-Time Search and Replace.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.