Security experts from Wordfence discovered a critical vulnerability impacting the wpDiscuz WordPress plugin that is installed on over 80,000 sites.
The vulnerability could be exploited by attackers to execute arbitrary code remotely after uploading arbitrary files on servers hosting the vulnerable WordPress sites.
wpDiscuz provides an Ajax real-time comment feature that stores the comments into a local database.
Researchers from WordFence reported the flaw to the wpDiscuz’s development team on June 19, the issue was fully addressed on July 23, with the release of version 7.0.5.
The developers initially attempted to fix the issue with the release of version 7.0.4, but they failed to fix it.
The vulnerability is rated as a critical severity and received a CVSS base score of 10/10.
Experts observed that unpatched versions of the wpDiscuz plugin fail to verify types of the files uploaded by the users. The plugin normally would allow users to only allow image attachments.
“wpDiscuz is a plugin designed to create responsive comment areas on WordPress installations. It allows users to discuss topics and easily customize their comments using a rich text editor. In the latest overhaul of the plugin, versions 7.x.x, they added the ability to include image attachments in comments which are uploaded to the site and included in the comments.” reads the analysis published by WordFence. “Unfortunately, the implementation of this feature lacked security protections creating a critical vulnerability.”
An attacker could upload a malicious file to a vulnerable site’s hosting server, then he would get the file path location with the request’s response to execute it on the server and achieve remote code execution (RCE).
“This made it possible for attackers to create any file type and add image identifying features to files to pass the file content verification check.” continues the report. “A PHP file attempting to bypass this verification could look something like this in a request:
Content-Disposition: form-data; name="wmu_files"; filename="myphpfile.php"
The file path location was returned as part of the request’s response, allowing a user to easily find the file’s location and access the file it was uploaded to the server. This meant that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.”
The wpDiscuz 7.0.5, which was released on July 23, had just over 40,000 downloads at the time of writing this post, this means that at least 40,000 WordPress sites are still impacted by the issue.
Due to the critical severity of this issue and the simplicity in exploiting it, WordFence did not release a proof of concept video for this issue.
(SecurityAffairs – hacking, wpDiscuz)