A popular WordPress vulnerability has been found with a critical vulnerability that allowed hackers to attack websites, steal sensitive data and even take them offline.
The vulnerability, tracked as CVE-2023-6933, was discovered by WordPress security experts Wordfence and subsequently patched by the plugin’s vendor, WP Engine.
The flaw consisted of an object injection vulnerability in the Better Search Replace WordPress plugin. Downloaded and installed more than a million times, this plugin helps with database search and replace when administrators migrate their sites to new domains or servers.
Thousands of attacks
All versions of the plugin, up to and including 1.4.5 released last week, are vulnerable to the flaw.
However, in order to exploit the vulnerability, certain conditions must first be met. In addition to the vulnerable plugin, the website (or a theme on the site) must also contain the Property Oriented Programming (POP) chain. The vulnerability can then be used to trick the POP chain into performing malicious actions.
And speaking of maliciousness, the flaw allows attackers to do a number of things, from executing code, accessing sensitive data, to file manipulation, deletion, and putting the website in a perpetual state of denial-of-service.
Wordfence reported that hackers launched more than 2,500 attacks in just 24 hours, all of which were blocked.
Users are advised to update their plugin to version 1.4.5. as soon as possible. The website WordPress.org says that four out of five installs are for version 1.4, but does not show statistics for minor releases.
As a website builder, WordPress is generally considered safe. The plugins, most of which are built by third parties, not so much. Many of them are non-commercial, developed by a small team and often not well maintained. That makes them an ideal candidate to serve as a gateway for breaches and other malicious activity.
Through BleepingComputer