A popular WordPress vulnerability has been discovered to carry a critical vulnerability that allowed hackers to attack websites, steal sensitive data, and even force them offline.
The vulnerability, tracked as CVE-2023-6933, was discovered by WordPress security experts Wordfence and subsequently patched by the plugin's provider, WP Engine.
The flaw consisted of an object injection vulnerability in the Better Search Replacement WordPress plugin. Downloaded and installed over a million times, this plugin helps with search and replace database work when administrators migrate their sites to new domains or servers.
Thousands of attacks
All versions of the plugin, up to 1.4.5 which was released last week, are vulnerable to the flaw.
However, to exploit the vulnerability, certain conditions must first be met. In addition to having the vulnerable plugin, the website (or a theme on the site) must also contain the Property Oriented Programming (POP) string. The vulnerability can then be used to activate the POP chain and perform malicious actions.
And speaking of maliciousness, the flaw allows attackers to do a number of things, from executing code, accessing sensitive data, to manipulating and deleting files and driving the website into a perpetual denial of service state.
Wordfence reported that in just 24 hours, hackers launched more than 2,500 attacks, all of which were blocked.
Users are recommended to update their plugin to version 1.4.5. as soon as possible. The WordPress.org website says that four out of five installations are for version 1.4, but does not show statistics for lower versions.
As a website builder, WordPress is generally considered safe. Plugins, most of which are created by third parties, not so much. Many of them are non-commercial, developed by a small team, and often not properly maintained. That makes them ideal candidates to serve as a gateway to breaches and other malicious activity.
Via BleepingComputer