A critical vulnerability termed an Arbitrary Options Update Flaw (CVE-2024-5324), has been discovered. This flaw poses a significant risk to over 40,000 active Login/Signup Popup plugins. Cyber crooks can use this flaw to gain subscriber-level access to manipulate site options and escalate privileges.
The discovery of this vulnerability was credited to 1337_Wannabe, a participant in the Bug Bounty Program.
A detailed analysis by cybersecurity experts revealed that the flaw resided within the plugin’s ‘import_settings’ function, where crucial capability and nonce checks were lacking. This oversight created an opportunity for attackers to manipulate site options, potentially leading to the unauthorised creation of administrator accounts and other malicious activities.
“As with any Arbitrary Options Update vulnerability, this can be used to accomplish a complete site compromise by setting the default registration role to administrator and enabling user registration (if not already enabled),” explained researchers from Wordfence. “Once an attacker has edited the site options, they can create an administrative account on the WordPress site, and then, once registered and logged in, they can manipulate anything on the targeted site, just like a normal administrator would.”
Attackers can upload plugin theme files in ZIP format and lace them with backdoor malware. They can also modify posts and pages and can redirect users to other malicious and scammy websites.
In response to the identified threat, Wordfence deployed protective measures. Premium, Care, and Response users of Wordfence were provided with a firewall rule on May 28, 2024, offering immediate protection against potential exploits targeting this vulnerability, while free users can expect to receive the same level of protection by June 27, 2024.
Researchers have urged WordPress site administrators and users to update their Login/Signup Popup plugin to the latest version, 2.7.3, without delay. Failure to do so could leave sites vulnerable to unauthorised data modifications and potential compromise.
Last month, critical vulnerabilities were discovered in three WordPress plugins — WP Statistics, WP Meta SEO, and LiteSpeed Cache — affecting millions of installations.
In April, it was reported that the LayserSlider plugin is vulnerable to SQL injection flaws, affecting millions.
In the News: Paris Olympics are on the radar of several threat actors: Research