Hackers are targeting a WordPress security flaw that was supposed to have been fixed

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Researchers recently observed a known, and apparently fixed vulnerability, being abused in the wild to steal login credentials for WordPress websites.

Cybersecurity researchers from Plugin Vulnerabilities, an organization that monitors flaws in WordPress plugins, reported a hacker trying to exploit an arbitrary file viewing vulnerability in the WP Compress plugin.

WP Compress is a plugin that promises to fix slow load times by compressing the images found on the website. By improving load times, the developers say the sites will perform better in search engine rankings. This can also prevent visitors from leaving the page.

No CVE record

By abusing the vulnerability, the hacker was trying to view the contents of the WordPress configuration files which, among other things, also contains the database credentials for the website.

A deeper investigation revealed that the vulnerability is being tracked as CVE-2023-6699, but the record is empty. On the National Institute of Standards and Technology website, it says “although a CVE ID may have been assigned by either CVE or a CNA, it will not be available in the NVD if it has a status of RESERVED by CVE.” 

The CVE site, on the other hand, says, “This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”

Plugin Vulnerabilities further explains that this is problematic because many IT teams rely on information from CVE to keep track of vulnerabilities. With no information provided, many websites are in the dark about the potential vulnerability they’re carrying. 

However, the flaw was apparently fixed on December 13 2023. Those using the plugin should make sure they update it to version 6.10.34.

“The lack of CVE records being filled out in a timely manner is an issue that has been known to CVE for some time, but they haven’t addressed,” the researchers have stressed.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
A computer file surrounded by red laser beams
Free online file converters could infect your PC with malware, FBI warns
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
Latest in News
Perplexity Squid Game Ad
New ad declares Squid Game's real winner is Perplexity AI
Pedro Pascal in Apple's Someday ad promoting the AirPods 4 with Active Noise Cancellation.
Pedro Pascal cures his heartbreak thanks to AirPods 4 (and the power of dance) in this new ad
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way