Newscast

Critical WordPress plugin vulnerability exposes million sites to attacks

By Nik

January 26, 2024

WordPress security experts, Wordfence, uncovered a significant vulnerability, CVE-2023-6933, in the Better Search Replace WordPress plugin. This flaw, an object injection vulnerability, affected all versions of the plugin, including the recent 1.4.5 release. The plugin has been widely downloaded over a million times and assists admins in database searches thus replacing tasks during site migrations.

Exploiting the vulnerability requires specific conditions: the website or theme must contain the Property Oriented Programming (POP) chain. Once triggered, this vulnerability enables attackers to execute malicious actions, including code execution, data access, file manipulation, and inducing a perpetual denial of service.

Within just 24 hours of discovery, Wordfence reported blocking over 2,500 attacks. Users are strongly advised to update to version 1.4.5. However, the WordPress.org website indicates that four in five installations are of version 1.4. while missing statistics for minor releases.

And even though WordPress as a website builder is generally considered safe, the same cannot be said for its plugins. Many, often developed by small, non-commercial teams, lack proper maintenance, making them potential gateways for security breaches and malicious activity. To stay secure make sure to update your plugins regularly.