1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Insecure WordPress plugin exposes thousands of sites to takeover

    From TechnologyDaily@1337:1/100 to All on Thu Oct 14 12:15:05 2021
    Insecure WordPress plugin exposes thousands of sites to takeover attacks

    Date:
    Thu, 14 Oct 2021 10:54:05 +0000

    Description:
    A series of WordPress plugin bugs could be used to seize control of affected websites.

    FULL STORY ======================================================================

    Researchers have disclosed a series of vulnerabilities that could have
    exposed thousands of WordPress websites to takeover attacks.

    According to a blog post from security firm Wordfence, the bugs were present in Brizy - Page Builder, a WordPress plugin installed across more than 90,000 sites. Although a fix has now been released, its likely a number of installations remain unpatched.

    If exploited, one chain of vulnerabilities could reportedly allow attackers
    to execute complete site takeover and add malicious JavaScript to existing posts. Separately, another of the vulnerabilities could be exploited to
    upload executable files and achieve remote code execution. Check out our list of the best antivirus services out there We've built a list of the best DDoS protection around Here's our list of the best malware removal software available

    As per the Common Vulnerability Scoring System (CVSS), the Brizy - Page Builder bugs range in severity from medium (6.4) to high (8.8). WordPress plugin vulnerability

    he researchers were first alerted to a potential problem when they observed unusual traffic relating to the Brizy - Page Builder plugin. Although the plugin was not under active attack, the group was able to identify a
    selection of interconnected bugs.

    [The unusual traffic] led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced, Wordfence explained. Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site
    takeover.

    The nature of these vulnerabilities was such that any registered user (including subscribers) could pass for an administrator and modify posts and pages, even if they had already been published to the site.

    The issues were identified by Wordfence in early June. After a full investigation was conducted, the researchers notified the vendor of the vulnerabilities in mid-August and a full patch was released roughly a week later.

    To shield against attack, WordPress users are advised to update to the latest version of the Brizy - Page Builder plugin (version 2.3.17) immediately. Here's our list of the best web hosting services around



    ======================================================================
    Link to news story: https://www.techradar.com/news/insecure-wordpress-plugin-exposes-thousands-of- sites-to-takeover-attacks/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)