Researchers have unearthed a series of vulnerabilities that could have compromised thousands of WordPress websites.
Potentially exploitable bugs were found in the Brizy Page Builder, a WordPress plugin that is installed across more than 90,000 websites, according to security firm Wordfence.
The company’s Threat Intelligence team reported the issues in August and a fix was released shortly afterwards, but it’s likely that a number of installations still remain unpatched. If exploited, it could allow attackers to execute “complete site takeover” and add malicious code to existing posts.
The vulnerabilities could also allow for any registered user, including subscribers, to pass as an administrator, where they could modify posts and pages, even if they had already been published on a site.
The Wordfence’s Threat Intelligence team said it stumbled upon the vulnerability while conducting a routine review of the Wordfence firewall in July. It said the plugin “did not appear” to be under active attack, but they were led to believe that there was something amiss following “unusual traffic”.
“The unusual traffic led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced,” Wordfence wrote in a blog post. “Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover.”
A patched version of the Brizy Page Builder plugin, was released on 24 August, just a few days after Wordfence disclosed the vulnerability. Wordfence “strongly recommends” users update to the latest version of the Brizy Page Builder (2.3.17) as soon as possible.