wpDiscuz Plugin Fixes Critical Arbitrary File Upload Vulnerability

wpDiscuz version 7 is a revolutionary perspective on the commenting world! This plugin is designed to change your website commenting experience and provides you with new user engagement features.

On June 19th, the WordFence Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin that is installed on over 80,000 sites. This flaw allowed unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

This vulnerability was introduced in the plugin’s latest major version update which is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you are running any version from 7.0.0 to 7.0.4 of this plugin, we highly recommend updating to the patched version, 7.0.5, immediately.

Being a plugin designed creates responsive comment areas on WordPress installations. It enables users to discuss topics and easily customize their comments using a rich text editor.

In the latest plugin overhaul added the ability to include image attachments in comments which are uploaded to the site and included in the comments. Unfortunately, the implementation of this feature lacked security protections creating a critical vulnerability.

This made it possible for attackers to create any file type and add image identifying features to files to pass the file content verification check. A PHP file attempting to bypass this verification could look something like this in a request:

------WebKitFormBoundaryXPeRFAXCS9qPc2sB
Content-Disposition: form-data; name="wmu_files[0]"; filename="myphpfile.php"
Content-Type: application/php

‰PNG

The file path location was returned as part of the request’s response, allowing a user to easily find the file’s location and access the file it was uploaded to the server. This meant that attackers could upload arbitrary PHP files and then access those files to trigger their execution on the server, achieving remote code execution.

If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code. This would effectively give the attacker complete control over every site on your server.

Both sites using Wordfence Premium and those still using the free version of Wordfence are protected from attacks against this vulnerability. Read more about this on WordFence

Read more of our WPChase security blogs here

Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers

%d bloggers like this: