A critical safety vulnerability affected the WordPress plugin Safety Protect, which may enable arbitrary file inclusion. The builders patched the flaw with the most recent plugin launch, making it vital for the customers to replace to the most recent variations as quickly as potential.
Protect Safety Plugin Vulnerability Allowed File
In response to the small print shared in a submit from the crew Wordfence, an area file inclusion vulnerability riddled the WordPress plugin Protect Safety.
Protect Safety plugin affords a easy firewall for WordPress web sites, stopping bot assaults, malware, and different associated threats. The plugin presently boasts over 50,000 lively installations, indicating the large variety of web sites uncovered to threats as a consequence of any safety vulnerabilities affecting the plugin.
Particularly, the vulnerability affected the plugin’s render_action_template parameter that permitting an unauthenticated adversary to incorporate malicious PHP information on the goal server. Finally, an attacker may execute malicious PHP codes by way of these information.
This vulnerability, CVE-2023-6989, obtained a crucial safety ranking with a CVSS rating of 9.8. Wordfence confirmed that the problem usually affected PHP information solely, ruling out the potential for distant code execution assaults. Nevertheless, they did verify that an attacker had quite a few choices to incorporate and execute malicious PHP information on the goal server. Of their submit, the researchers additionally introduced an in depth technical evaluation of the exploit.
Wordfence acknowledged the researcher with alias hir0ot for accountable vulnerability disclosure by way of Wordfence’s bug bounty program. The agency additionally awarded the researcher a $938 bounty for these findings.
Following the bug report, the plugin builders patched the vulnerability with the Protect Safety plugin model 18.5.10. But, the plugin’s official web page mentions 19.0.6 as the most recent launch, indicating additional updates since this safety repair. Therefore, all customers working this plugin on their web sites should guarantee updating to the plugin 18.5.10 or later (ideally to the most recent obtainable model) to obtain all vital bug fixes.
Tell us your ideas within the feedback.