GiveWP WordPress Plugin Flaw Exposes 100,000 Websites to Remote Code Execution Attacks
Published on August 21, 2024
WordPress is one of the most popular content management systems and powers a third of all websites on the internet. With millions of users using the platform, it has become a major target for cybercriminals. One of the biggest sources of cyber attacks on the platform is the use of outdated plugins or an outdated version of WordPress itself.
According to a report by TrendMicro, there are two critical vulnerabilities in WordPress. If exploited, attackers could execute PHP code and gain complete system control. The two vulnerabilities affect WordPress versions 5 (prior to 5.0.1) and 4 (prior to 4.9.9). The security researchers have already informed WordPress about the issue.
Both the reported WordPress vulnerabilities are related and patching CVE-2019-8942 makes CVE-2019-8943 non-exploitable. According to TrendMicro “the former plays an essential part in successfully exploiting the latter. That’s because the meta_key in _wp_attached_file first needs to be updated or modified to a path traversal file name before it can execute an embedded PHP code.”
It is important for WordPress users to keep their plugins and the platform itself updated. Old exploits are constantly discovered in older versions of the platform and patches take time to be deployed. There may be more vulnerabilities in the content management system’s older version that have not been discovered yet. TrendMicro recommends outdated plugins that are no longer in development in favor of newer plugins.
Recently an AJAX-related flaw was discovered in the WP Cost Estimation & Payments Forms Builder plugin that was exploited by hackers. With over 11,000 downloads listed on the official website as well as many third-party illegal downloads, the scale of the attack is unknown.
What do you think about the two vulnerabilities discovered in WordPress? Let us know in the comments below. Feel free to share your thoughts with our online community on Facebook and Twitter.