{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-038.pdf"
    },
    "title": "Critical Wordpress Plugin Vulnerability",
    "serial_number": "2020-038",
    "publish_date": "30-07-2020 12:02:00",
    "description": "On 19th of June, Wordfence Threat Intelligence team discovered a vulnerability that affects Wordpress plugin Comments \u2013 wpDiscuz. This flaw gives unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site\u2019s server. According to Wordfence, the security flaw is rated as critical severity with a CVSS base score of 10.0.",
    "url_title": "2020-038",
    "content_markdown": "---\ntitle: 'Critical Wordpress Plugin Vulnerability'\nversion: '1.0'\nnumber: '2020-038'\ndate: 'July 29, 2020'\n---\n\n_History:_\n\n* _29/07/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 19th of June, Wordfence Threat Intelligence team discovered a vulnerability that affects Wordpress plugin **Comments \u2013 wpDiscuz** [1]. This flaw gives unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site\u2019s server [1]. According to Wordfence, the security flaw is rated as critical severity with a CVSS base score of 10.0 [2].\n\n# Technical Details\n\nComments - wpDiscuz is a realtime comment system with custom comment form and fields. It is designed to supercharge WordPress native comments [3].\n\nThe wpDiscuz comments are intended to only allow image attachments [1]. However, due to the file MIME type detection functions that were used, the file type verification could easily be bypassed, allowing unauthenticated users the ability to upload any type of file, including PHP files [1]. Once uploaded to a vulnerable site's hosting server, attackers would get the file path location with the request's response making it easy to trigger file execution on the server and achieving remote code execution (RCE) [2].\n\n# Products Affected\n\nThe issue affects Wordpress plugin **Comments \u2013 wpDiscuz**, versions 7.0.0 - 7.0.4 [1].\n\n# Recommendations\n\nThe vulnerability was patched with the release of version 7.0.5 [1, 3].\n\nCERT-EU recommends to update the vulnerable application as soon as possible.\n\n# References\n\n[1] <https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/>\n\n[2] <https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-lets-hackers-take-over-hosting-account/>\n\n[3] <https://wordpress.org/plugins/wpdiscuz/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/07/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 19th of June, Wordfence Threat Intelligence team discovered a vulnerability that affects Wordpress plugin <strong>Comments \u2013 wpDiscuz</strong> [1]. This flaw gives unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site\u2019s server [1]. According to Wordfence, the security flaw is rated as critical severity with a CVSS base score of 10.0 [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>Comments - wpDiscuz is a realtime comment system with custom comment form and fields. It is designed to supercharge WordPress native comments [3].</p><p>The wpDiscuz comments are intended to only allow image attachments [1]. However, due to the file MIME type detection functions that were used, the file type verification could easily be bypassed, allowing unauthenticated users the ability to upload any type of file, including PHP files [1]. Once uploaded to a vulnerable site's hosting server, attackers would get the file path location with the request's response making it easy to trigger file execution on the server and achieving remote code execution (RCE) [2].</p><h2 id=\"products-affected\">Products Affected</h2><p>The issue affects Wordpress plugin <strong>Comments \u2013 wpDiscuz</strong>, versions 7.0.0 - 7.0.4 [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>The vulnerability was patched with the release of version 7.0.5 [1, 3].</p><p>CERT-EU recommends to update the vulnerable application as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/\">https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-lets-hackers-take-over-hosting-account/\">https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-lets-hackers-take-over-hosting-account/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://wordpress.org/plugins/wpdiscuz/\">https://wordpress.org/plugins/wpdiscuz/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}