Outdated versions of three popular WordPress plugins suffer from a "critical" zero-day vulnerability that enables an attacker to take over a website.
The bug is a PHP object injection flaw that affects the following plugins: Appointments (versions prior to 2.2.2), Flickr Gallery (versions prior to 1.5.3), and RegistrationMagic-Custom Registration Forms (versions prior to 184.108.40.206).
Together, those plugins have a combined user base of over 21,000 WordPress customers. All three have already received a fix for the security issue, which is rated "Critical" with a CVSS rating of 9.8.
So why such a high rating? Brad Haas, senior security analyst at Wordfence, has the answer:
"This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php. If the attacker was able to access their backdoor, they could completely take over the vulnerable site."
Haas and his colleagues came across the vulnerability while they were cleaning up a compromised website. Yes, that means attackers are exploiting the flaw in the wild. So there's no time to waste.
Premium Wordfence customers are already protected by their WordPress security plugin's updated firewall rules. Other users would be wise to ensure that they have updated all of their plugins if they feel that they are at risk.
Of course, ensuring that WordPress plugins are regularly patched to protect against known vulnerabilities is always sensible advice. If you administer your WordPress website, make sure you keep your plugins updated.