Security News > 2020 > July > Critical Security Flaw in WordPress Plugin Allows RCE
Researchers are warning of a critical vulnerability in a WordPress plugin called Comments - wpDiscuz, which is installed on more than 70,000 websites.
The flaw gives unauthenticated attackers the ability to upload arbitrary files and ultimately execute remote code on vulnerable website servers.
The implementation of this feature lacked security protections vetting file attachments in the comments to make sure they actually are image files, versus another type of file.
To pass the file content-verification check, an attacker would simply need to add an image to make any file look like the allowed file type.
Earlier in July, it was discovered that the Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.
News URL
https://threatpost.com/critical-rce-flaw-wordpress-plugin-on-70k-sites/157824/
Related news
- 89% of Enterprise GenAI Usage Is Invisible to Organizations Exposing Critical Security Risks, New Report Reveals (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- WordPress security plugin WP Ghost vulnerable to remote code execution bug (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)