A critical security flaw in wpDiscuz, a WordPress plug-in, could enable cybercriminals to remotely execute malicious code on vulnerable website servers. The bug has a CVSS score of 10.0.
wpDiscuz is an Ajax real-time comment system that lets users keep their comments in their database. The plug-in, billed as an alternative to Disqus and Jetpack Comments, has more than 70,000 users. It comes with multiple layouts, interactive comment box, and other features.
In a recent version of the plug-in, wpDiscuz added an option for users to add image attachments in their comments. Its implementation lacked security protections and created a critical flaw that allowed attackers to upload arbitrary files, including PHP files, explains Chloe Chamberland of Wordfence, the security company where this vulnerability was discovered, in a blog post.
Attackers could add image identifying features to files in order to pass the file content verification check. If successful, they could achieve remote code execution on a vulnerable website's server and traverse the hosting account to infect more websites hosted in the account where malicious code was uploaded.
"This would effective give the attacker complete control over every site on your server," Chamberland writes. The vulnerability was discovered in June and reported to the wpDiscuz team, which issued a fix in version 7.0.5 on July 23.
Read more details in the Wordfence disclosure here.