Critical zero-day vulnerabilities in three popular Wordpress plug-ins could allow attackers to completely take over a vulnerable site.
Wordfence researchers spotted the previously unknown vulnerabilities in the Appointments plug-in by Dev, Flickr Gallery plug-in by Dan Coulter and the RegistrationMagic-Custom Registration Forms plug-in by CMSHelpLive, according to an Oct. 2, blog post.
“The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created,” researchers said in the blog post.
Researchers said the vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice and required no authentication or elevated privileges.
To compromise sites running Flickr Gallery, attackers only needed to send the exploit as a POST request to the site's root URL, while with the other two plugins the request would go to admin-ajax.php to compromise the systems. Researchers immediately notified the plugin authors and all three have published updates to fix the systems.