Security researchers have warned users of a popular WordPress plugin that they need to patch urgently or risk their site being remotely hijacked.
Security vendor Wordfence has revealed a new PHP code injection vulnerability with a CVSS score of 9.8, which could enable remote code execution.
The impacted plugin, Backup Migration, is said to have an estimated 90,000 installs.
Unauthenticated threat actors could exploit the bug to inject arbitrary PHP code, resulting in a full site compromise.
The vulnerability was fixed rapidly by Backup Migration developer BackupBliss, within just hours of being informed by Wordfence on December 6.
It was discovered by a researcher via the Wordfence Bug Bounty Program, which was set up on November 8.
The research was submitted to the program on December 5 and Wordfence had validated and confirmed a proof-of-concept exploit a day later.
The same day, it released a firewall rule to protect customers and sent the details over to BackupBliss.
Wordfence trumpeted the output of its bug bounty program.
Within just a month, over 270 vulnerability researchers have registered and submitted around 130 vulnerabilities, it claimed.
Up until December 20, all researchers will earn 6.25x the program's normal bounty rates when Wordfence handles responsible disclosure.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 12 Dec 2023 10:00:16 +0000