Wordfence’s Threat Intelligence discovered vulnerability in wpDiscuz plug-in installed on over 70, 000 WordPress based sites, allowing attackers to execute code remotely after uploading arbitrary files on servers hosting the vulnerable sites.
For your information, wpDiscuz plug-in is an alternative to Disqus and Jetpack Commends that provide an Ajax real-time comment system that will store comments within a local database. It comes with a support for multiple comment layouts, inline commenting and feedback as well as post rating system and multi-level comment threats.
While wpDiscuz was desgined to only allow using image attachments, the file mimic type detection functions included in it and used to verify files types fail to block users from uploading arbitrary files like PHP. On uploading to a vulnerable site hosting server, attackers would know the file location, trigger the file execution on the service and achieve remote code execution.
Chloe Chamberland, an analyst from Wordfence rated this critical severity with a CVSS base score 10/10. She said, “If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code. This would effectively give the attacker complete control over every site on your server.”
The issue was reported on June 19 and after a failed attempt with version 7.0.4, the fully patched wpDiscuz version 7.0.5 was released on July 23. While this version contain the fix for the RCE vulnerability, this plug-in had only 25,000 downloads only during last week.
At least 45, 000 WordPress sites with active wpDiscuz installations still potentially risk to the attack. wpDiscuz users are so urged to update the plug-in to the latest update as soon as possible.