Wordfence analysts discovered a dangerous vulnerability in the wpDiscuz plugin installed on 70,000 sites. The problem can be exploited after the files are uploaded to the servers hosting the vulnerable site. As a result, an attacker is able to execute arbitrary code.
The wpDiscuz plugin for WordPress is an alternative to well-known solutions like Disqus and Jetpack Comments, that is, it provides the site with an Ajax-based commenting system that stores posts in a local database.
Wordfence experts say that they discovered the problem back on June 19, 2020, and rushed to notify the wpDiscuz developers. The bug is currently fixed in version 7.0.5, released on July 23, 2002 (an attempt to fix the problem in version 7.0.4 was unsuccessful). It is emphasized that the problem has a critical status and scored 10 points out of 10 possible on the CVSS vulnerability assessment scale.
The root of the bug is that although the plugin was designed to allow users to attach only image files to messages, vulnerable versions of wpDiscuz were unable to check file types, and as a result, users were able to upload, for example, PHP files to the north … After uploading such a file to the host server of the vulnerable site, attackers could launch and execute it, which entailed remote execution of arbitrary code.
Although the patched version of the plugin was released on July 23rd, few have downloaded it in the last week more than 28,000 times (including both updates and new installations). That is, about 42,000 sites using wpDiscuz are still vulnerable to a dangerous bug and can be attacked.
Experts strongly recommend that site owners update the plugin to the latest version as soon as possible, since attackers often use known issues in WordPress plugins to hijack and even erase other people's sites.