If the site hasn’t configured an internal secret key (also null by default), the authorization check inadvertently passes due to a null == null comparison, completely bypassing security protocols. This incident serves as another reminder of the importance of maintaining updated WordPress installations and implementing proper security measures for websites running the popular content management system. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. This vulnerability allows unauthenticated attackers to create administrative user accounts on vulnerable WordPress sites, potentially compromising the entire site. Security experts identified that the plugin fails to validate the ST-Authorization HTTP header during API requests properly. Security analysts note that attackers are randomizing credentials, making detection more challenging. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications. Security logs reveal multiple patterns of account creation attempts. Patchstack customers are reportedly protected through the company’s virtual patching system, which blocked exploitation attempts before the official patch was released. When attackers submit an invalid header, the plugin’s code returns a null value. In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated and harder to detect using traditional methods.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Apr 2025 09:00:10 +0000