A recently discovered high-severity vulnerability in a WordPress plugin has put some 60,000 websites at risk of website takeover, data exfiltration or remote code execution.
That’s according to Wordfence Threat Intelligence, a research team that searches for bugs in one of the world’s most popular CMS platforms, WordPress.
The Wordfence report explains that in mid-April, the team discovered an object injection vulnerability in the Booking Calendar plugin which, at press time, had over 60,000 installs.
Execute arbitrary code
The plugin gives webmasters the ability to add a reservation system to the site, which includes the ability to publish a flexible calendar, showing existing reservations and openings.
The flexible timeline also allows webmasters to configure preferences and display options when viewing the published timeline. Some of these options were passed in the serialized data of PHP, Wordfence explained, and an attacker could control this data via several methods.
“Whenever an attacker can control non-serialized data by PHP, they can inject a PHP object with properties of their choosing,” the announcement reads. “If a ‘POP string’ is also present, it may allow an attacker to execute arbitrary code, delete files, or destroy or take control of a vulnerable website.”
The silver lining of the discovery is that Wordfence found no POP strings in the Booking plugin, meaning attackers would need “a bit of luck” and additional research to use the flaw. Yet, since POP strings often appear in software libraries, the threat is real.
Wordfence informed the developers of its findings in mid-April, and the fix was rolled out in three days. Users are advised to update to version 9.1.1. of the plugin, as soon as possible.
Being among the most popular website hosting platforms in the world, WordPress and its plugins are often targeted by threat actors, looking for zero days by which they could deploy malware. While WordPress itself is generally considered safe, its thousands of third-party plugins are susceptible to a few vulnerabilities.