Expert Reaction On Maximum Severity Vulnerability in WordPress wpDiscuz Plugin

By   ISBuzz Team
Writer , Information Security Buzz | Jul 30, 2020 03:28 am PST

According to researchers, a maximum severity vulnerability in the wpDiscuz plugin installed on over 80,000 WordPress sites can be exploited to give attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

Notify of
2 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Chiu
Tim Chiu , Vice President of Marketing
InfoSec Expert
July 30, 2020 2:20 pm

Another day, another WordPress plug-in vulnerability. Each one is a good reminder that plug-ins can affect your site’s overall security. While there are some workarounds to protect sites, this one can be particularly dangerous, allowing arbitrary code to be uploaded to your WordPress site. This new vulnerability is another good reminder to ensure your plug-ins are up to date and you’re only enabling and using the plug-ins you really need for your site.

Last edited 3 years ago by Tim Chiu
Ameet Naik
Ameet Naik , Security Evangelist
InfoSec Expert
July 30, 2020 11:39 am

WordPress powers over 30% of the web and remains an attractive target for attackers. This latest flaw via the wpDiscuz plugin gave attackers the ability to upload files, and achieve remote code execution on-site servers. Attackers can use XSS vulnerabilities to gain privileged access to a website and plant malicious JavaScript code that can steal user data, spread malware, or hijack users to nefarious sites. Such techniques have been used to launch Magecart attacks against thousands of e-commerce sites resulting in the theft of millions of credit card numbers.

Attackers can also skim and compromise credentials to hack into databases which can yield another large bounty of usernames, passwords, stored credit card details, social security numbers, and other personally identifiable information (PII). This stolen data can be traded on the dark web where it fuels the endless cycle of account takeover (ATO) attacks and credit card fraud.

Data breaches can expose businesses to severe compliance penalties under data protection regulations such as CCPA and GDPR. Website owners need to secure their sites using strong multi-factor authentication to minimize the chance of a large data breach. Consumers must continue to safeguard their personal data and monitor their credit history for signs of fraud.

Last edited 3 years ago by Ameet Naik

Recent Posts

Would love your thoughts, please comment.x