WordPress plugin exploit puts over 90,000 sites at risk
Security firm Wordfence recommends users of the Brizy Page Builder plugin upgrade to the latest version immediately
Researchers have unearthed a series of vulnerabilities that could have compromised thousands of WordPress websites.
Potentially exploitable bugs were found in the Brizy Page Builder, a WordPress plugin that is installed across more than 90,000 websites, according to security firm Wordfence.
The company's Threat Intelligence team reported the issues in August and a fix was released shortly afterwards, but it's likely that a number of installations still remain unpatched. If exploited, it could allow attackers to execute "complete site takeover" and add malicious code to existing posts.
The vulnerabilities could also allow for any registered user, including subscribers, to pass as an administrator, where they could modify posts and pages, even if they had already been published on a site.
The Wordfence's Threat Intelligence team said it stumbled upon the vulnerability while conducting a routine review of the Wordfence firewall in July. It said the plugin "did not appear" to be under active attack, but they were led to believe that there was something amiss following "unusual traffic".
"The unusual traffic led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced," Wordfence wrote in a blog post. "Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover."
A patched version of the Brizy Page Builder plugin, was released on 24 August, just a few days after Wordfence disclosed the vulnerability. Wordfence "strongly recommends" users update to the latest version of the Brizy Page Builder (2.3.17) as soon as possible.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download