A serious security flaw discovered in a WordPress plugin. That used on over 20,000 websites, according to researchers.
The flaw may be found in older versions of the Access Demo Importer plugin, which allows WordPress users to import demo content, widgets, theme options, and other settings to their sites, according to a blog post by security firm Wordfence.
The flaw, if exploited, may allow attackers with subscriber-level access to upload arbitrary files, potentially allowing remote code execution. Sites with open registration, according to Wordfence, may be especially vulnerable to this attack.
WordPress plugin vulnerability
The Access Demo Importer flaw alleged to have originated in a function. That lets users to install plugins that not hosted in the WordPress.org repository.
“Unfortunately, this function had no capability check, nor any nonce checks. Which made it possible for authenticated users with minimal permissions, like subscribers, to install a zip file as a ‘plugin’ from an external source,” explained Wordfence.
“This ‘plugin’ zip file could contain malicious PHP files, including web shells. That could used to achieve remote code execution and ultimately completely take over a site.”
Wordfence was the first to notice the flaw in early August. The security company reported the problem to the WordPress.org team after a series of fruitless efforts to reach the vendor. And the plugin is also pulled down to allow the developers to put together a solution. In addition, early in September, a partial repair released, followed by a full patch on September 21.
Finally, WordPress users urged to update to the newest version of the Access Demo Importer plugin (version 1.0.7) immediately to protect themselves against attack.
You may also like: