Affected versions of the plugin include versions 7.0.0 – 7.0.4. According to Wordfence researchers, the vulnerability allowed unauthenticated attackers to upload arbitrary files, including PHP files, thus performing remote code execution on the server of the vulnerable site.
After contacting the plugin’s developers, the researchers provided full disclosure details, and a patch was eventually made available. Affected sites should update to version 7.0.4 of the Comments – wpDiscuz plugin to avoid any compromise.
More about the Comments – wpDiscuz Plugin Vulnerability
The vulnerability, described as arbitrary file upload, was introduced in the plugin’s latest major version update, Wordfence says. The flaw has been given a CVSS score of 10, making it highly critical as it could lead to remote code execution attacks on the server of the affected site. Site owners running any version from 7.0.0 to 7.0., should consider updating to the patched version, 7.0.5, as soon as possible.
wpDiscuz, which has been installed on thousands of WordPress sites, is a plugin for responsive comment areas. The plugin is designed to enable users discuss topics and customize their comments with the help of a rich text editor. In the latest versions 7.x.x of the plugin, the developers added the ability to include image attachments in comments uploaded to the particular site. This new addition, however, didn’t have proper security protections thus creating the critical issue.
Also Read Unsplash Plugin for WordPress: Seamless Integration for All Websites
It should be noted that the wpDiscuz comments are designed with the intention to only allow image attachments. “However, due to the file mime type detection functions that were used, the file type verification could easily be bypassed, allowing unauthenticated users the ability to upload any type of file, including PHP files,” Wordfence explains.
Earlier this month, the same team of security researchers reported a vulnerability in another WordPress plugin. The KingComposer WordPress plugin was found to contain several vulnerabilities that could lead to access control over compromised sites. The plugin has been installed on more than 100,000 sites. The researchers discovered an unpatched reflected cross-site scripting (XSS) flaw in the KingComposer plugin, identified as CVE-2020-15299.