Nearly a million WordPress websites were vulnerable to a flaw that allowed hackers to change content on several pages.
a report from Wordfence noted that the vulnerability could lead to hackers modifying sensitive data and potentially abusing the website builder system.
According to the report, the websites were vulnerable through a WordPress plugin called Website Builder, developed by SeedProd, which has more than 900,000 active installations. The vulnerability involved a missing capacity check in one of the plugin’s features, which allowed hackers to modify content on sites such as “coming soon”, maintenance pages or 404 pages, created using the plugin.
Targeting plugins
WordPress websites with versions up to 6.15.21 of the plugin installed were vulnerable, the report further said. However, SeedProd has addressed this and released a patch that brings the plugin to version 6.15.22. All WordPress website owners using the plugin are advised to apply the patch immediately.
The vulnerability itself is tracked as CVE-2024-1072 and has a severity score of 8.2/10 in the Common Vulnerability Scoring System (CVSS), making it a ‘high risk’ flaw.
WordPress is by far the most popular website builder in the world, powering almost half (43%) of all websites on the internet. This also makes it an extremely popular target among hackers. However, WordPress is generally considered secure, as less than 1% of all known vulnerabilities on the platform target the website builder itself.
Instead, hackers usually look for bugs in plugins and add-ons, as many of them are not checked as thoroughly or updated as often as they should. This is especially true for non-commercial plugins, which are often built by a single developer and sometimes abandoned, but still widely used. Administrators are advised to always keep all their plugins up to date.