Patch this WordPress plugin now, thousands of users warned

News
By published

Maximum severity WordPress plugin bug places tens of thousands of websites at risk

(Image credit: Shutterstock / Magura)

A critical vulnerability has been identified in a WordPress plugin installed across more than 80,000 websites. 

Discovered by researchers at security firm Wordfence, the bug is present in WordPress plugin wpDiscuz (versions 7.0.0 to 7.0.4), used by administrators to integrate a comments section into their websites.

The bug could reportedly allow hackers to remotely execute code on a vulnerable website’s servers, take control of the hosting account and inject malicious code into other sites managed by the same entity.

As such, it has been assigned a maximum severity score of 10/10 as per the Common Vulnerability Scoring System (CVSS).

WordPress plugin vulnerability

The WordPress plugin vulnerability first surfaced with wpDiscuz version 7.0.0, which introduced a facility that allows users to attach images to comments.

Although the feature was intended to allow for image uploads only, the file type verification process could be easily circumvented, allowing hackers to upload any file of their choosing and sow the seed for account takeover.

“This flaw [gives] unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server,” explained Wordfence in a blog post.

“If exploited, this vulnerability could allow an attacker to traverse your hosting account to further infect any sites hosted in the account with malicious code. This would effectively give the attacker complete control over every site on your server.”

Wordfence first informed wpDiscuz developers of the vulnerability on June 19. After a failed attempt to resolve the issue with version 7.0.4, a full patch was released on July 23 with version 7.0.5.

The update has been downloaded circa 25,000 times since it was published, but this means roughly 55,000 WordPress websites remain at risk. To shield against attack, users of the wpDiscuz plugin are advised to install the latest version immediately.

Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Robert Downey Jr reveals himself as Doctor Doom to a delighted crowd at San Diego Comic-Con 2024
Marvel is currently revealing the full cast for Avengers: Doomsday, and I think it's going to be a long-winded announcement
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news
Nintendo Switch Lite
Forget the Nintendo Switch 2, the original Switch is getting one last hurrah in a surprise Nintendo Direct tomorrow
More about security
Data leak

Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection

Third-party security issues could be the biggest threat facing your business
CoreWeave

Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so
See more latest
Most Popular
CoreWeave
Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so
Discord Clyde
Discord's game overlay has seen a complete revamp - I've tried it, and it's one of the best updates ever
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Data leak
Top home hardware firm data leak could see millions of customers affected
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
Canon EOS R50 V on a wooden table, alongside the EOS R50
I tried Canon's two new vlogging cameras – here's why the EOS R50 V offers better video value
Canon RF 20mm F1.4L VCM lens on a wooden table, alongside three other Canon hybrid prime lenses
Canon’s new 20mm f/1.4 lens could be the ultimate wide-angle prime for astro photography and video work, but its pricey
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game
Samsung QN90F on yellow background
Samsung announces US prices for its 2025 mini-LED TV lineup, and it’s good and bad news