Insecure WordPress plugin exposes thousands of sites to takeover attacks

(Image credit: Shutterstock / Zeeker2526)

Researchers have revealed a serial publication of vulnerabilities that could have got exposed thousands of WordPress websites to takeover attacks.

According to a blog billet from security firm Wordfence, the bugs were present in Brizy - Page Builder, a WordPress plugin installed across more than 90,000 sites. Although a determine has now been released, it's presumptive a act of installations remain unpatched.

If exploited, one chain of vulnerabilities could reportedly allow attackers to execute "full-dress site takeover" and add malicious JavaScript to active posts. Separately, some other of the vulnerabilities could be employed to upload executable files and reach remote control code death penalty.

Feel out our list of the best antivirus services out there
We've stacked a list of the best DDoS protection around
Here's our list of the optimal malware removal software program lendable

As per the Common Exposure Marking System (CVSS), the Brizy - Page Builder bugs range in severity from medium (6.4) to high (8.8).

WordPress plugin exposure

atomic number 2 researchers were first alerted to a potential trouble when they observed unusual traffic relating to the Brizy - Page Builder plugin. Although the plugin was not below active attack, the aggroup was able to distinguish a survival of the fittest of unified bugs.

"[The queer traffic] led us to find cardinal new-sprung vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced," Wordfence explained. "Both new vulnerabilities could take vantage of the memory access control exposure to allow all-out site takeover."

The nature of these vulnerabilities was such that any registered user (including subscribers) could pass for an administrator and modify posts and pages, even if they had already been published to the site.

The issues were known aside Wordfence in early June. After a full investigation was conducted, the researchers notified the vendor of the vulnerabilities in mid-August and a complete patch was released roughly a week later.

To buckler against attack, WordPress users are well-advised to update to the current version of the Brizy - Page Builder plugin (version 2.3.17) immediately.

Here's our list of the superfine web hosting services around

Joel Khalili is a Staff Writer on the job across both TechRadar Pro and ITProPortal. He's interested in receiving pitches round cybersecurity, data privacy, cloud over, store, internet infrastructure, rangy, 5G and blockchain.