Tens of thousands of WordPress websites are at risk |
According to information security researchers, tens of thousands of websites based on the WordPress (WordPress) content management platform are vulnerable to hacking attacks after a critical vulnerability was discovered in a popular plugin.
PatchStack researchers discovered three vulnerabilities in the LearnPress learning management system plugin, which allows users with little knowledge of coding to sell courses and online courses through their WordPress sites.
Although LearnPress released the fix more than a month ago, researchers warn that only a small percentage of websites have implemented it so far.
The first vulnerability, which is being tracked under ID (CVE-2022-47615), allows attackers to view credentials, authentication tokens, API keys, and more.
The second vulnerability being tracked by ID (CVE-2022-45808) is an unauthenticated SQL injection vulnerability that allows arbitrary code execution.
The third vulnerability identifier (CVE-2022-45820) is also an unauthorized SQL injection vulnerability that can lead to data mining and arbitrary code execution.
PatchStack discovered the vulnerability between November 30 and December 2, 2022 and shortly thereafter notified the party behind the LearnPress plugin.
On December 20, LearnPress version 4.2.0 was released with bug fixes. However, according to BleepingComputer, only 25% of websites using the LearnPress plug-in have updated to the patched version, citing statistics obtained.
Since about 100,000 websites are currently actively using the plugin, the total number of sites that are still at risk increases to about 75,000 if they are not upgraded to the latest version.
Because these vulnerabilities are so severe that failure to apply the patches has severe consequences, webmasters are advised to apply the patches immediately or disable plugins until they do so.
As the world's most popular content management platform, WordPress is an attractive target for cybercriminals, and although the platform itself is relatively secure, plugins, especially free ones, are often the weakest link. Although they add countless additional features to the platform, it is essential for webmasters to choose the right components and ensure that they are always up to date.