According to researchers, a maximum severity vulnerability in the wpDiscuz plugin installed on over 80,000 WordPress sites can be exploited to give attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
Another day, another WordPress plug-in vulnerability. Each one is a good reminder that plug-ins can affect your site’s overall security. While there are some workarounds to protect sites, this one can be particularly dangerous, allowing arbitrary code to be uploaded to your WordPress site. This new vulnerability is another good reminder to ensure your plug-ins are up to date and you’re only enabling and using the plug-ins you really need for your site.
WordPress powers over 30% of the web and remains an attractive target for attackers. This latest flaw via the wpDiscuz plugin gave attackers the ability to upload files, and achieve remote code execution on-site servers. Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware, or hijack users to nefarious sites. Such techniques have been used to launch Magecart attacks against thousands of e-commerce sites resulting in the theft of millions of credit card numbers.
Attackers can also skim and compromise credentials to hack into databases which can yield another large bounty of usernames, passwords, stored credit card details, social security numbers, and other personally identifiable information (PII). This stolen data can be traded on the dark web where it fuels the endless cycle of account takeover (ATO) attacks and credit card fraud.
Data breaches can expose businesses to severe compliance penalties under data protection regulations such as CCPA and GDPR. Website owners need to secure their sites using strong multi-factor authentication to minimize the chance of a large data breach. Consumers must continue to safeguard their personal data and monitor their credit history for signs of fraud.