Once again, a critical security flaw in a WordPress plugin posed a threat to thousands of websites. This time, the researchers discovered the vulnerability in the wpDiscuz WordPress plugin.
wpDiscuz WordPress Plugin Vulnerability
Researchers from Wordfence have come up with one more report about a vulnerable plugin. As described in their recent blog post, they caught a critical vulnerability in the wpDiscuz WordPress plugin. Exploiting this bug could let an attacker achieve various dangerous privileges on the target server, including remote code execution and arbitrary file upload.
The vulnerability existed because it was possible to bypass file verification. While the plugin allowed uploading image files as attachment, due to the flaw, an adversary could exploit this functionality to upload any file types, including PHP files.
Describing this issue, the blog stated,
The issue was escalated with the ‘
isAllowedFileType
’ function that did a check to see if the file was an allowed file type as it used the mime from the ‘getMimeType
’ function. Due to the fact that the ‘getMimeType
’ function used functions to obtain a file’s mime type based on file content, any file type could easily be spoofed to look like an allowed file type and pass this check.
To do so, the attacker would simply need to include an image with the request. Thus, the plugin won’t detect the file type and would respond with the file-path location. This would then allow the attacker to access files in that location of the server.
Consequently, this would not only allow the attacker to upload arbitrary files to the target server, but also to access other files and execute commands. Also, an attacker could exploit the target hosting account to inject malicious codes to other sites hosted in it. Eventually, all sites on that particular server would become prey to the attack.
Developers Patched The Flaw
The researchers caught this critical severity bug that achieved a CVSS score of 10.0, in June 2020. After that, they reached out to the developers of Comments – wpDiscuz plugin that boasts over 80,000 active installations.
Specifically, the vulnerability affected the plugin versions 7.0.0 to 7.0.4. Following the bug report, the developers patched the flaw with the release of version 7.0.5.
Due to the critical nature of the bug, Wordfence did not share a PoC of the exploit. Though, since the patch is now available, they will share the PoC in their live video stream on August 4, 2020.
Until that time, all Comments-wpDiscuz plugin users must ensure updating their sites with the latest version to stay protected.
Let us know your thoughts in the comments.