Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[Article] Critical Wordpress plugin bug compromise hosting accounts for thousands of users


Jimi Wikman
 Share

Recommended Posts

  • Owner

A critical bug in the popular Wordpress plugin wpDiscuz allow users to upload and execute code remotely. This is because of a bug in the file mime type detection that allowed any file type to be uploaded. This open up the server to remote code execution (RCE) that could result in the entire server being compromised. 

The vulnerability was reported to wpDiscuz's developers by Wordfence's Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23. Since then 25.000 users have downloaded this update, leaving at least 45.000 sites still vulnerable from this bug.

According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.

Quote

 

"If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code.

This would effectively give the attacker complete control over every site on your server"

 

Disclosure Timeline

June 18, 2020 – Initial discovery of vulnerability. We verify the Wordfence firewall provides protection against exploit attempts and we make our initial contact attempt with the plugin’s team.
June 19, 2020 – Plugin team confirms inbox for handling disclosure. We send full disclosure details.
June 20, 2020 – The plugin’s team let us know that a patch will be released in version 7.0.4.
July 6, 2020 – Follow-up as no patch has been released.
July 10, 2020 – They respond to let us know a patch is coming in 1-2 days.
July 13, 2020 – Follow-up as no patch has been released.
July 15, 2020 – They respond saying a patch will be released by the end of week.
July 20, 2020 – A patch has been released. We check the patch and see that vulnerability is still exploitable and inform them.
July 23, 2020 – A sufficient patch has been released in version 7.0.5

 

If you are using wpDiscuz you should upgrade emediately to avoid having your server compromised.


View full blog article

Link to comment
Share on other sites

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Similar Content

    • By Jimi Wikman
      Two WordPress plugins, InfiniteWP Client and WP Time Capsule have been found to suffer from a critical authorization bypass bug that allows people to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in.
      Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously".
      This was reported on January 7th and on January 8th a new release for InfiniteWP Client and WP Time Capsule was released. WebArx publicly disclosed the bugs on January 14th.
      Based on the WordPress plugin library, the InfiniteWP Client plugin is active on 300,000+ websites. The InfiniteWP site claims they have 513,520 sites active.
      Link to WPScan Vulnerability Database: https://wpvulndb.com/vulnerabilities/10011
       
    • By Jimi Wikman
      Two WordPress plugins, InfiniteWP Client and WP Time Capsule have been found to suffer from a critical authorization bypass bug that allows people to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in.
      Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously".
      This was reported on January 7th and on January 8th a new release for InfiniteWP Client and WP Time Capsule was released. WebArx publicly disclosed the bugs on January 14th.
      Based on the WordPress plugin library, the InfiniteWP Client plugin is active on 300,000+ websites. The InfiniteWP site claims they have 513,520 sites active.
      Link to WPScan Vulnerability Database: https://wpvulndb.com/vulnerabilities/10011
       

      View full blog article
    • By Victor Aflarenko
      Hi! I'm Victor Aflarenko, a Swedish guy who is very passionate about music and graphic design.
      I love what I do, this is my passion. My inspiration comes from everything between music and buss rides.
    • By Jimi Wikman
      This week I have tinkered with a new section here on the site. I purchased a plugin for movies and TV Shows when I also bought the Books plugin. For some reason I just sat down and played around a bit with it, and it turned out great. I am very happy so far, even if I can do a lot more with it. There are a few things that I need to sort out first though...
      The plugins are from the same developer and the price was right, so I bought both. As I am a long time movie lover and a frequent TV show watcher I figured I could use it somehow. As I sat down and played around with it, I was amazed how easy it was to work with, and I ended up with a design that I liked. This is something I have wanted to build for almost 12 years now.
      Once I got some help figuring out how to use the custom fields I could really start  building. I have a few things that are manual that can be automated later, but it is not a big issue really. The design is pretty basic, but I think I can use that for other things as well. I might even recreate it for a blog post layout...
      One thing I though was cool would be to add a movie player to the background image. Rather than build one from scratch I just used the data-ipsDialog function that are built into Invision Community. It tuned out pretty great, but I might change it a bit later to make it a bit better.
      With this however I take the first step to split up the section About Me. It is a section that has not received much love yet, and I need to figure out what to do about that section. It will be a bit interesting to see what I will do about that section though as it has some potential, and yet I might not want to focus too much on it.
      As it looks 2021 will be a very interesting year indeed.
    • By Jimi Wikman
      A critical bug in the popular Wordpress plugin wpDiscuz allow users to upload and execute code remotely. This is because of a bug in the file mime type detection that allowed any file type to be uploaded. This open up the server to remote code execution (RCE) that could result in the entire server being compromised. 
      The vulnerability was reported to wpDiscuz's developers by Wordfence's Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23. Since then 25.000 users have downloaded this update, leaving at least 45.000 sites still vulnerable from this bug.
      According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.
      Disclosure Timeline
      June 18, 2020 – Initial discovery of vulnerability. We verify the Wordfence firewall provides protection against exploit attempts and we make our initial contact attempt with the plugin’s team.
      June 19, 2020 – Plugin team confirms inbox for handling disclosure. We send full disclosure details.
      June 20, 2020 – The plugin’s team let us know that a patch will be released in version 7.0.4.
      July 6, 2020 – Follow-up as no patch has been released.
      July 10, 2020 – They respond to let us know a patch is coming in 1-2 days.
      July 13, 2020 – Follow-up as no patch has been released.
      July 15, 2020 – They respond saying a patch will be released by the end of week.
      July 20, 2020 – A patch has been released. We check the patch and see that vulnerability is still exploitable and inform them.
      July 23, 2020 – A sufficient patch has been released in version 7.0.5
       
      If you are using wpDiscuz you should upgrade emediately to avoid having your server compromised.

×
×
  • Create New...