WordPress Sites Attacked in Their Millions
upstart writes in with an IRC submission for RandomFactor of yet another WordPress plugin vulnerability:
WordPress Sites Attacked in Their Millions:
Millions of WordPress sites are being probed in automated attacks looking to exploit a recently discovered plugin vulnerability, according to security researchers.
Wordfence, which itself produces a plugin for the platform, revealed news of the zero-day bug at the start of September. It affects File Manager which, as the name suggests, is a plugin that helps users to manage files on their WordPress sites.
[...] The vulnerability itself could allow a remote, unauthenticated user to execute commands and upload malicious files on a target site. [Wordfence's Ram] Gall therefore urged users to patch the issue promptly by installing the latest version of the plug, v6.9.
"If you are not actively using the plugin, uninstall it completely," he added. "Due to the breadth of file management functionality this plugin provides a user within the wp-admin dashboard, we recommend uninstalling the plugin when it is not actively being used."
[Ed Note: Wordfence sells a product intended to protect WordPress sites]
Read more of this story at SoylentNews.