Researchers have revealed a serious security breach affecting a WordPress plugin installed on more than 20,000 websites.
According to a blog post from the security company Wordfence, the bug is present in older versions of the Access Demo Importer plugin, which allows WordPress users import demo content, widgets, theme options, and other settings to their sites.
If exploited, the vulnerability could allow attackers with subscriber-level access to download arbitrary files that would set the stage for remote code execution. Wordfence says sites with open registration could be particularly vulnerable to this exploit.
The vulnerability was assigned a severity score of 8.8 / 10 according to the Common Vulnerability Scoring System (CVSS).
Vulnerability of the WordPress plugin
The Access Demo Importer vulnerability is believed to stem from a feature that allows users to install plugins hosted outside of the official WordPress repository.
“Unfortunately, this feature had no capacity control, nor any nonce control, which allowed authenticated users with minimal permissions, such as subscribers, to install a zip file as a ‘plugin’ from within an external source, ”Wordfence explained.
“This ‘plugin’ zip file could contain malicious PHP files, including webshells, which could be used to remotely execute code and ultimately take over a site completely.”
The vulnerability was first identified by Wordfence in early August. After a series of failed attempts to get in touch with the vendor, the security company reported the issue to the WordPress.org team and the plugin was removed to allow developers to create a fix. A partial fix was deployed in early September, followed by a full fix on September 21.
To protect against attacks, WordPress users are advised to immediately update to the latest version of the Access Demo Importer plugin (version 1.0.7).