Researchers have disclosed a severe security vulnerability affecting a WordPress plugin (opens in new tab) installed across more than 20,000 websites.
According to a blog post (opens in new tab) from security firm Wordfence, the bug is present in older versions of the Access Demo Importer plugin, which lets WordPress (opens in new tab) users import demo content, widgets, theme options and other settings to their sites.
If exploited, the vulnerability could reportedly allow attackers with subscriber-level access to upload arbitrary files that set the stage for remote code execution. Wordfence says that sites with open registration could be particularly vulnerable to this exploit.
- Check out our list of the best antivirus (opens in new tab) services out there
- We've built a list of the best DDoS protection (opens in new tab) around
- Here's our list of the best malware removal software (opens in new tab) available
The vulnerability has been assigned a severity score of 8.8/10 as per the Common Vulnerability Scoring System (CVSS).
WordPress plugin vulnerability
The Access Demo Importer vulnerability is said to originate in a feature that allows users to install plugins hosted outside of the official WordPress repository.
“Unfortunately, this function had no capability check, nor any nonce checks, which made it possible for authenticated users with minimal permissions, like subscribers, to install a zip file as a ‘plugin’ from an external source,” explained Wordfence.
“This ‘plugin’ zip file could contain malicious PHP files, including webshells, that could be used to achieve remote code execution and ultimately completely take over a site.”
The vulnerability was first identified by Wordfence in early August. After a series of failed attempts to get in contact with the vendor, the security firm escalated the issue to the WordPress.org team and the plugin was pulled down to allow the developers to put together a patch. A partial fix was rolled out in early September, followed by a comprehensive patch on September 21.
To shield against attack, WordPress users are advised to update to the latest version of the Access Demo Importer plugin (version 1.0.7) immediately.
- Here's our list of the best web hosting (opens in new tab) services around