Almost a million WordPress websites at risk from this security flaw — here's what you need to know to keep your site safe

News
By published

Another vulnerable plugin was found on the WordPress platform

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

Almost a million WordPress websites were vulnerable to a flaw that allowed hackers to modify content on different pages. 

A report from Wordfence noted the vulnerability could lead to hackers altering sensitive data and potentially exploiting the website builder system.

As per the report, the websites were vulnerable through a WordPress plugin called Website Builder, developed by SeedProd which has more than 900,000 active installations. The vulnerability involved a missing capability check in one of the plugin’s functions, allowing hackers to modify content on sites such as “coming soon”, maintenance pages, or 404 pages, created using the plugin. 

Reader offer: Get up to 75% off on hosting with Hostinger

Reader offer: Get up to 75% off on hosting with Hostinger

Get top-notch performance, extensive features, and unbeatable value for money. With Hostinger you can enjoy free domain, SSL, backups, and more. Upgrade for professional extras like NVMe storage, CDN, and WordPress caching.

Preferred partner (What does this mean?) 

Targeting plugins

WordPress websites with versions up to 6.15.21 of the plugin installed were vulnerable, the report further stated. SeedProd has addressed it, however, and released a patch bringing the plugin up to version 6.15.22. All WordPress website owners using the plugin are advised to apply the patch immediately.

The vulnerability itself is tracked as CVE-2024-1072, and carries a severity score of 8.2/10 in the Common Vulnerability Scoring System (CVSS), making it a “high risk” flaw. 

WordPress is by far the world’s most popular website builder, powering almost half (43%) of all websites on the internet. This also makes it an extremely popular target among hackers. However, WordPress is generally considered safe, as less than 1% of all known vulnerabilities on the platform target the website builder itself. 

Instead, hackers usually look for flaws in plugins and addons, as many of them aren’t as thoroughly monitored, or frequently updated, as they should be. This rings particularly true for non-commercial plugins, which are often built by a single developer, and sometimes abandoned, but still widely used. Administrators are advised to always keep all of their plugins updated.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Latest in Security
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
WordPress on a laptop
Over 20,000 WordPress sites hit by damaging malware campaign
Trojan
WhatsApp patches security flaw which let hackers install spyware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way
More about security
Lock on Laptop Screen

Data breach at Pennsylvania education union potentially exposes 500,000 victims
Trojan

WhatsApp patches security flaw which let hackers install spyware
The ASSC Assassin's Creed collection.

The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
See more latest
Most Popular
The ASSC Assassin's Creed collection.
The Assassin's Creed x Anti Social Social Club drop includes gaming merch that I wouldn't be embarrassed to wear
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 21 (game #1152)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 21 (game #383)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 21 (game #649)
Living room with Microsoft Xbox Series X (L) and Sony PlayStation 5 home video game consoles alongside a television and soundbar, taken on November 3, 2020.
The PS5 is currently selling faster than the PS4 did in the US, but I'm surprised to discover that the Xbox Series X and S are trailing behind Xbox One
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Samsung Galaxy Tab S9 FE Plus on a desk showing the rear of the device from above
The Samsung Galaxy Tab S10 FE could be a powerful iPad Air rival, based on the latest specs rumors
Trojan
WhatsApp patches security flaw which let hackers install spyware
God of War 20th anniversary vinyl box set.
The God of War 20th anniversary vinyl box set features 13 discs and 150 remastered songs
Boston Dynamics all electric Altas
This robot can do a cartwheel better than me and now I'm freaking out – but in a good way