Researchers have uncovered a serious security vulnerability affecting a wordpress plugin Installed on over 20,000 websites.
according to a blog post From security firm Wordfence, the bug exists in earlier versions of the Access Demo Importer plugin, which lets wordpress Users import demo content, widgets, theme options, and other settings to their sites.
If exploited, the vulnerability could reportedly allow attackers with client-level access to upload arbitrary files that set the stage for remote code execution. Wordfence says that sites with open registrations may be especially vulnerable to this exploit.
- Check out our list of the best antivirus services
- We’ve put together a list of the best DDoS protection around
- Here is our list of the best malware removal software available
The vulnerability is assigned a severity score of 8.8/10 according to the Common Vulnerability Scoring System (CVSS).
wordpress plugin vulnerability
The Access Demo Importer vulnerability is said to stem from a feature that allows users to install plugins hosted outside of the official WordPress repository.
“Unfortunately, this function had no capability checks, nor any nonce checks, which made it possible for authenticated users to install a zip file as a ‘plugin’ from an external source with minimal permissions like clients ,” Wordfence explained.
“This ‘plugin’ ZIP file may contain malicious PHP files, including webshells, that can be used to gain remote code execution and eventually completely take over a site.”
Wordfence first identified the vulnerability in early August. After a series of unsuccessful attempts to get in touch with the vendor, the security firm took the issue to the WordPress.org team and the plugin was pulled down to allow developers to apply a patch. A partial fix was introduced in early September, followed by a comprehensive patch on 21 September.
To protect against attack, WordPress users are advised to immediately update to the latest version of the Access Demo Importer plugin (version 1.0.7).
- Here is our list of the best web hosting services