A popular WordPress vulnerability has been found carrying a critical vulnerability which allowed hackers to attack websites, steal sensitive data, and even force them offline.
The vulnerability, tracked as CVE-2023-6933, was discovered by WordPress security experts Wordfence, and subsequently fixed by the plugin’s vendor, WP Engine.
The flaw consisted of an object injection vulnerability in the Better Search Replace WordPress plugin. This plugin, which was downloaded and installed more than a million times, helps with search and replace work in databases, when admins migrate their sites to new domains or servers.
Thousands of attacks
All versions of the plugin, up to 1.4.5 which was released last week, are vulnerable to the flaw.
To exploit the vulnerability, however, certain conditions must first be met. Besides having the vulnerable plugin, the website (or a theme on the site) must also contain the Property Oriented Programming (POP) chain. The vulnerability can then be used to trigger the POP chain into performing malicious actions.
And speaking of malice, the flaw allows attackers to do a number of things, from code execution, access to sensitive data, to file manipulation, deletion, and bringing the website into a perpetual state of denial of service.
Wordfence reported that in just 24 hours, hackers initiated more than 2,500 attacks, all of which were blocked.
Users are advised to update their plugin to version 1.4.5. as soon as possible. The WordPress.org website says four in five installations are for version 1.4., but show no statistics for minor releases.
As a website builder, WordPress is generally considered safe. The plugins, most of which are built by third parties, not so much. Many of them are non-commercial, developed by a small team and often not properly maintained. That makes them an ideal candidate to serve as a gateway for breaches and other malicious activity.