Millions at risk as popular WordPress database plugin is targeted by hackers — here’s what WordPress site owners need to know

Vulnerability in popular WordPress plugin leaves doors open for hackers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A popularWordPressvulnerability has been found carrying a critical vulnerability which allowed hackers to attack websites, steal sensitive data, and even force them offline.

The vulnerability, tracked as CVE-2023-6933, was discovered by WordPress security experts Wordfence, and subsequently fixed by the plugin’s vendor, WP Engine.

The flaw consisted of an object injection vulnerability in the Better Search Replace WordPress plugin. This plugin, which was downloaded and installed more than a million times, helps with search and replace work in databases, when admins migrate their sites to newdomainsor servers.

Thousands of attacks

All versions of the plugin, up to 1.4.5 which was released last week, are vulnerable to the flaw.

To exploit the vulnerability, however, certain conditions must first be met. Besides having the vulnerable plugin, the website (or a theme on the site) must also contain the Property Oriented Programming (POP) chain. The vulnerability can then be used to trigger the POP chain into performing malicious actions.

And speaking of malice, the flaw allows attackers to do a number of things, from code execution, access to sensitive data, to file manipulation, deletion, and bringing the website into a perpetual state of denial of service.

Wordfence reported that in just 24 hours, hackers initiated more than 2,500 attacks, all of which were blocked.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Users are advised to update their plugin to version 1.4.5. as soon as possible. The WordPress.org website says four in five installations are for version 1.4., but show no statistics for minor releases.

As awebsite builder, WordPress is generally considered safe. The plugins, most of which are built by third parties, not so much. Many of them are non-commercial, developed by a small team and often not properly maintained. That makes them an ideal candidate to serve as a gateway for breaches and other malicious activity.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Apple iMac 24-inch M4 (2024) review: the best, and most colorful, all-in-one computer levels up