Researchers recently observed a known, and apparently fixed, vulnerability that was being abused in the wild to steal login credentials for WordPress websites.
Cybersecurity researchers at Plugin Vulnerabilities, an organization that monitors flaws in WordPress plugins, reported that a hacker attempted to exploit an arbitrary file viewing vulnerability in the WP Compress plugin.
WP Compress is a plugin that promises to fix slow loading times by compressing images found on the website. By improving loading times, developers say sites will perform better in search engine rankings. This can also prevent visitors from leaving the page.
No CVE registration
By exploiting the vulnerability, the hacker was attempting to view the contents of WordPress configuration files which, among other things, also contain the website’s database credentials.
Further investigation revealed that the vulnerability is being tracked as CVE-2023-6699, but the log is empty. On the National Institute of Standards and Technology website, it says “although a CVE ID may have been assigned by CVE or a CNA, it will not be available in the NVD if it has a RESERVED status by CVE.”
The CVE site, on the other hand, says: “This candidate has been reserved by an organization or individual who will use it when announcing a new security issue. When the candidate has been published, the details of this candidate will be provided.”
Plugin Vulnerabilities further explains that this is problematic because many IT teams rely on CVE information to track vulnerabilities. Without information provided, many websites are unaware of the potential vulnerability they carry.
However, the bug was apparently fixed on December 13, 2023. Those using the plugin should make sure to update it to version 6.10.34.
“The failure to have CVE records completed in a timely manner is an issue that CVE has been aware of for some time, but has not addressed,” the researchers have emphasized.
