Nasty WordPress plugin bug puts thousands of sites at risk

News
By published

A bug allowed for data exfiltration and arbitrary code execution

WordPress logo
(Image credit: WordPress)

A high-severity vulnerability recently discovered in a WordPress plugin put some 60,000 websites at risk of website takeover, data exfiltration, or remote code execution.

This is according to the Wordfence Threat Intelligence, a research team that hunts for bugs in one of the world’s most popular CMS platforms, WordPress

The Wordfence’s report explains that, in mid-April, the team found an Object Injection vulnerability in the Booking Calendar plugin which, at press time, has had more than 60,000 installations. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Executing arbitrary code

The plugin gives webmasters the option to add a booking system to the site, which includes the ability to publish a flexible timeline, showing existing bookings and openings.

The flexible timeline also allows webmasters to configure viewing preferences and options, when viewing the published timeline. Some of these options were passed in PHP’s serialized data, Wordfence explained, and an attacker could control this data through multiple methods. 

“Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice,” the announcement reads. “If a 'POP Chain' is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website.”

Read more

> WordPress.com website builder review

> Major WordPress update will make amateurs look like master web developers

> WordPress plugin vulnerability exposed millions of websites to attack

The silver lining in the finding is that Wordfence did not find any POP chains in the Booking plugin, meaning attackers would need “some luck” and additional research to make use of the flaw. Still, as POP chains often appear in software libraries, the threat is real.

Wordfence notified the developers of its findings in mid-April and the patch was deployed within three days. Users are advised to patch to version 9.1.1. of the plugin, as soon as possible. 

Being among the most popular website hosting platforms in the world, WordPress and its plugins are often targeted by threat actors, looking for zero-days through which they could deploy malware. While WordPress itself is generally considered safe, its thousands of third-party plugins are bound to suffer from a few vulnerabilities. 

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Oracle
Oracle denies data breach after hacker claims to hold six million records
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Latest in News
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
Samsung HW-Q990D soundbar with Halloween theme over the top
Samsung promises to repair soundbars bricked by its disastrous software update for free – but it'll probably involve shipping
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
More about security
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol

Coinbase targeted after recent Github attacks
Oracle

Oracle denies data breach after hacker claims to hold six million records
A phone showing a ChatGPT app error message

ChatGPT is down for many – here's what's going on
See more latest
Most Popular
A phone showing a ChatGPT app error message
ChatGPT is down for many – here's what's going on
A woman sitting in a chair looking at a Windows 11 laptop
It looks like Microsoft might have thought better about banishing Copilot AI shortcut from Windows 11
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
Surface Laptop 7
Amazon warns customers about the Surface Laptop – and it’s not just bad news for Microsoft
vector isometric illustration of a handheld gaming console
SteamOS is about to change handheld gaming PCs as HP finally considers ditching Windows 11
Oracle
Oracle denies data breach after hacker claims to hold six million records
Tesla Roadster 2
Tesla is still taking deposits on its long overdue Roadster, despite promising it would arrive in 2020
DJI Mavic 3 Pro
More DJI Mavic 4 Pro leaks seemingly reveal launch date, price and key features of the triple camera drone – here's what to expect
De'Longhi Linea Classic espresso machine on kitchen counter with hot and cold coffee drinks
I'm a qualified barista, and De'Longhi's latest espresso machine could be this year's best budget buy for coffee lovers
Man sitting on sofa, drinking coffee, looking at phone in surprise
Thousands of coffee lovers warned to stop using their espresso machines immediately after reports of burns and lacerations