Researchers have found a serious vulnerability affecting the WordPress plugin installed on more than 20,000 websites.
According to a blog post by security firm Wordfence, the bug is present in older versions of the Access Demo Importer plugin, which allows WordPress users to import demo content, widgets, theme options, and other settings to their sites.
According to the report, if a loophole is used, it can allow attackers with access at the subscriber level to download arbitrary files that specify the stage of execution of the code. Wordfence says that sites with open registration may be particularly vulnerable to this exploitation.
The vulnerability was rated at 8.8 / 10 in accordance with the General Vulnerability Assessment System (CVSS).
Weakness in WordPress plugin
Access Demo Importer’s vulnerability is said to be caused by a feature that allows users to install plugins placed outside the official WordPress repository.
“Unfortunately, there was no ability check or no uncertainty check in this functionality, which allowed authenticated users with minimal permissions, such as subscribers, to download a zip file from an external source as a plugin,” Wordfence said.
“This ‘plugin’ zip file can contain malicious PHP files, including web shells, which can be used to remotely execute code and eventually capture the site completely.“
The vulnerability was first discovered by Wordfence in early August. After a series of unsuccessful attempts to contact the vendor, the security firm reported the problem to the WordPress.org team, and the plugin was removed to allow the developers to create a patch. A partial amendment was issued in early September, followed by a broad patch on September 21.
To protect against attacks, WordPress users are advised to immediately update to the latest version of the Access Demo Importer plugin (version 1.0.7).