Attn Website Owners! WordPress Found To Have These Vulnerabilities: Here’s How To Fix

Website owners who use WordPress are advised to update to the latest version immediately.

The vulnerabilities were found by The Wordfence Threat Intelligence team and pertain to the attacker achieving authenticated directory traversal.

WordPress is the backend to many websites across the world. It has been found that one WordPress plugin that was installed on over 1,00,000 websites has two separate vulnerabilities. The plugin, called WordPress Download Manager is used to change how dowload pages are displayed. The vulnerabilities were found by The Wordfence Threat Intelligence team and pertain to the attacker achieving authenticated directory traversal. Now, the WordPress Download Manager has some protections in place to protect against directory traversal, they did not prove to be sufficient in this particular case.

As a result, it was possible for a contributor with lower provileges to retreive contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack. Here, the contents of teh wp-config.php were visible in the page’s source code upon previewing the download. Since the contents of the file were echoed out onto the page source, a user with author-level access could also upload a file or multimedia containing malicious JavaScript and set the contents of the file to the path of the uploaded file which could result in Stores Cross-Site Scripting.

Before this, the WordPress Download Manager team had patched a vulnerability that allowed users to upload files with php4 extensions as well as other potentially malicious files. Although this patch protected many configurations, it only checked the last file extension that made it possible for an attacker to carry out a “double extension” attack by uploading a file with multiple extensions like info.php.png.

The Wordfence Threat Intelligence Team had disclosed its findings to the WordPress team in May and the developers released a patch the following day. Website owners who use WordPress are advised to update to the latest version immediately.

Read all the Latest News, Breaking News and Coronavirus News here

Emily Charlotes

Next Post

Notorious AlphaBay darknet market comes back to life

Wed Aug 18 , 2021
The AlphaBay darkweb market has come back to life after an administrator of the original project relaunched it over the weekend. At the same time, the admin announced plans for setting up a platform for darknet markets to set up shop with a strong focus on anonymity. AlphaBay OG announces comeback […]