Analysts at Wordfence found a dangerous vulnerability in the wpDiscuz plugin installed on 70,000 sites. The problem can be exploited after the files are uploaded to the servers hosting the vulnerable site. As a result, the attacker gets the opportunity to execute arbitrary code.
wpDiscuz plugin for WordPress is an alternative to well-known solutions such as Disqus and Jetpack Comments, that is, it provides the site with an Ajax-based commenting system that stores posts in a local database.
Wordfence experts say that they discovered the problem on June 19, 2020, which they hurried to notify wpDiscuz developers about. The bug is currently fixed in version 7.0.5, released on July 23, 2002 (an attempt to fix the problem in version 7.0.4 was unsuccessful). It is emphasized that the problem has the status of critical and scored 10 points out of 10 possible on the CVSS vulnerability rating scale.
The root of the bug is that although the plugin was designed to allow users to attach only image files to messages, vulnerable versions of wpDiscuz could not handle file type checking, and as a result, users were able to upload north, for example, PHP files. After uploading such a file to the host server of a vulnerable site, attackers could launch and execute it, which would also lead to remote execution of arbitrary code.
Although the patched version of the plugin was released on July 23rd, it hasn't been uploaded much in the last week
more than 28,000 times (including both updates and new installs). That is, about 42,000 sites using wpDiscuz are still vulnerable to a dangerous bug and can be attacked.
Experts strongly advise site owners to update the plugin to the latest version as soon as possible, as attackers often use known issues in WordPress plugins to take over and even wipe other people's sites.