Insecure WordPress plugin exposes thousands of sites to takeover attacks

Update this plugin immediately, WordPress users urged

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have disclosed a series of vulnerabilities that could have exposed thousands ofWordPresswebsites to takeover attacks.

According to ablog postfrom security firm Wordfence, the bugs were present in Brizy - Page Builder, aWordPress plugininstalled across more than 90,000 sites. Although a fix has now been released, it’s likely a number of installations remain unpatched.

If exploited, one chain of vulnerabilities could reportedly allow attackers to execute “complete site takeover” and add malicious JavaScript to existing posts. Separately, another of the vulnerabilities could be exploited to upload executable files and achieve remote code execution.

As per the Common Vulnerability Scoring System (CVSS), the Brizy - Page Builder bugs range in severity from medium (6.4) to high (8.8).

WordPress plugin vulnerability

he researchers were first alerted to a potential problem when they observed unusual traffic relating to the Brizy - Page Builder plugin. Although the plugin was not under active attack, the group was able to identify a selection of interconnected bugs.

“[The unusual traffic] led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced,” Wordfence explained. “Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover.”

The nature of these vulnerabilities was such that any registered user (including subscribers) could pass for an administrator and modify posts and pages, even if they had already been published to the site.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The issues were identified by Wordfence in early June. After a full investigation was conducted, the researchers notified the vendor of the vulnerabilities in mid-August and a full patch was released roughly a week later.

To shield against attack, WordPress users are advised to update to the latest version of the Brizy - Page Builder plugin (version 2.3.17) immediately.

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Don’t wait until Black Friday, this year’s best Nintendo Switch bundles are on sale now