Researchers recently observed a known and apparently resolved vulnerability that is being exploited in the wild to steal login credentials for WordPress websites.
Cybersecurity researchers from Vulnerabilities in pluginsAn organization that monitors WordPress plugin bugs reported that a hacker tried to exploit an arbitrary file-viewing vulnerability in the WP Compress plugin.
WP Compress is a plugin that promises to solve slow loading times by compressing the images on the website. By improving loading times, the developers say the sites will perform better in search engine rankings. This can also prevent visitors from leaving the page.
No CVE record
By exploiting the vulnerability, the hacker attempted to view the contents of the WordPress configuration files, which, among other things, also contain the website's database data.
Further investigation revealed that the vulnerability is being tracked as CVE-2023-6699, but the record is empty. The National Institute of Standards and Technology website states: “Although a CVE ID may be assigned by CVE or a CNA, it will not be available in the NVD if it is in RESERVED status by CVE.”
In contrast, the CVE site states: “This candidate has been reserved by an organization or individual that will use it when announcing a new security vulnerability. Details of this candidate will be provided once the candidate has been announced.”
Plugin Vulnerabilities further explains that this is problematic because many IT teams rely on information from CVE to monitor vulnerabilities. Because no information is provided, many websites are left in the dark about the potential vulnerability they pose.
However, the bug was apparently fixed on December 13, 2023. Those using the plugin should make sure they update it to version 6.10.34.
“The lack of timely completion of CVE files is a problem that has been known to CVE for some time, but for which no solution has yet been found,” the researchers emphasize.