Critical WordPress plugin bug puts thousands of sites in danger

Researchers urge users to upgrade now

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

An authentication bypass vulnerability in a popularWordPress pluginenables attackers to take complete control overWordPress-poweredecommerce websites, researchers have revealed.

TheWordfenceThreat Intelligence team discovered the vulnerability in the Booster forWooCommerce WordPress plugin, which boasts a user base of over 100,000 websites.

The Booster plugin offers over 100 features available in the WooCommerce plugin that helps setup ecommerce stores onWordPress installations.

“This flaw made it possible for an attacker to log in as any user, as long as certain options were enabled in the plugin,”writesWordfence’s Chloe Chamberland.

Forging identities

Forging identities

With a CVSS score of 9.8, Chamberland explains that the vulnerability existed in the plugin’sEmail Verificationmodule. The module requires users to verify theiremailafter they have registered on the site.

However, the module didn’t perform the necessary security checks, making it possible for attackers to send a fake verification request as any user and essentially be able to log in with the forged identity.

“As such, an attacker could exploit this vulnerability to gain administrative access on sites running a vulnerable version of the plugin and effectively take-over the site,” explains Chamberland.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

A patched version of the plugin has already been released, and Wordfence urges users of the plugin to upgrade to the latest release without delay.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well