A critical bug in the popular Wordpress plugin wpDiscuz allow users to upload and execute code remotely. This is because of a bug in the file mime type detection that allowed any file type to be uploaded. This open up the server to remote code execution (RCE) that could result in the entire server being compromised.
The vulnerability was reported to wpDiscuz's developers by Wordfence's Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23. Since then 25.000 users have downloaded this update, leaving at least 45.000 sites still vulnerable from this bug.
According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.
"If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.
This would effectively give the attacker complete control over every site on your server"
June 18, 2020 – Initial discovery of vulnerability. We verify the Wordfence firewall provides protection against exploit attempts and we make our initial contact attempt with the plugin’s team.
June 19, 2020 – Plugin team confirms inbox for handling disclosure. We send full disclosure details.
June 20, 2020 – The plugin’s team let us know that a patch will be released in version 7.0.4.
July 6, 2020 – Follow-up as no patch has been released.
July 10, 2020 – They respond to let us know a patch is coming in 1-2 days.
July 13, 2020 – Follow-up as no patch has been released.
July 15, 2020 – They respond saying a patch will be released by the end of week.
July 20, 2020 – A patch has been released. We check the patch and see that vulnerability is still exploitable and inform them.
July 23, 2020 – A sufficient patch has been released in version 7.0.5
If you are using wpDiscuz you should upgrade emediately to avoid having your server compromised.