Nearly a million WordPress websites were vulnerable to a flaw that allowed hackers to modify the content of different pages.
A report from Wordfence noted that the vulnerability could lead to hackers altering sensitive data and potentially exploiting the website creation system.
According to the report, the websites were vulnerable through a WordPress plugin called Website Builder, developed by SeedProd that has more than 900,000 active installations. The vulnerability involved a missing capability check in one of the plugin's functions, which allowed hackers to modify content on sites such as “coming soon”, maintenance pages, or 404 pages, created with the plugin.
Orientation Plugins
WordPress websites with versions up to 6.15.21 of the plugin installed were vulnerable, according to the report. However, SeedProd fixed the issue and released a patch that updates the plugin to version 6.15.22. All WordPress website owners using the plugin are recommended to apply the patch immediately.
The vulnerability itself is tracked as CVE-2024-1072 and has a severity score of 8.2/10 on the Common Vulnerability Scoring System (CVSS), making it a “high risk” flaw.
WordPress is by far the most popular website builder in the world, powering nearly half (43%) of all websites on the internet. This also makes it an extremely popular target among hackers. However, WordPress is generally considered secure, with less than 1% of all known vulnerabilities on the platform pointing to the website creator.
Instead, hackers often look for flaws in plugins and add-ons, as many of them are not monitored as closely or updated as frequently as they should be. This rings particularly true for non-commercial plugins, which are often created by a single developer and sometimes abandoned, but are still widely used. Administrators are recommended to always keep all their plugins up to date.