Hackers are targeting a WordPress security flaw that was supposed to have been fixed

News
By published

A flaw in WP Compress allows hackers to view credentials for the site

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Researchers recently observed a known, and apparently fixed vulnerability, being abused in the wild to steal login credentials for WordPress websites.

Cybersecurity researchers from Plugin Vulnerabilities, an organization that monitors flaws in WordPress plugins, reported a hacker trying to exploit an arbitrary file viewing vulnerability in the WP Compress plugin.

WP Compress is a plugin that promises to fix slow load times by compressing the images found on the website. By improving load times, the developers say the sites will perform better in search engine rankings. This can also prevent visitors from leaving the page.

No CVE record

By abusing the vulnerability, the hacker was trying to view the contents of the WordPress configuration files which, among other things, also contains the database credentials for the website.

A deeper investigation revealed that the vulnerability is being tracked as CVE-2023-6699, but the record is empty. On the National Institute of Standards and Technology website, it says “although a CVE ID may have been assigned by either CVE or a CNA, it will not be available in the NVD if it has a status of RESERVED by CVE.” 

The CVE site, on the other hand, says, “This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”

Plugin Vulnerabilities further explains that this is problematic because many IT teams rely on information from CVE to keep track of vulnerabilities. With no information provided, many websites are in the dark about the potential vulnerability they’re carrying. 

However, the flaw was apparently fixed on December 13 2023. Those using the plugin should make sure they update it to version 6.10.34.

“The lack of CVE records being filled out in a timely manner is an issue that has been known to CVE for some time, but they haven’t addressed,” the researchers have stressed.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.