Understanding the RCE Vulnerabilities in WordPress Plugins

  • Imagine handing over the controls of your website to someone you don’t trust – that’s the risk of RCE vulnerabilities in WordPress.
  • Attackers can modify website content, inject spammy content, and spread malware, infecting site visitors.
  • To avoid any errors, it’s crucial to ensure that all your plugins and themes are compatible with the new PHP version before upgrading.

WordPress is a popular content management system (CMS) powering over 40% of the internet. It is known for its flexibility and extensive plugin ecosystem. However, these plugins, while adding functionality, can introduce security vulnerabilities. These vulnerabilities can creep in due to coding errors, outdated libraries, or a lack of proper maintenance. Understanding the WordPress plugin vulnerabilities, the associated risks, and the challenges of upgrading plugins is crucial for maintaining a secure WordPress site.

In this article, we will explore remote code execution (RCE) vulnerabilities in WordPress plugins that allow attackers to remotely inject and run malicious code on your website.

Security Risks Posed by RCE Vulnerabilities in WordPress

.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}

Complete Website Takeover: Remote code execution allows attackers to execute any command on the server, potentially taking full control of the website. This means they can change content, install malware, redirect visitors to malicious sites, or you can even lose control over the website.

Data Theft: Attackers can access and steal sensitive information stored on your website, such as customer data, login credentials, or financial records.

Website Defacement: With control over the server, attackers can modify website content and display their own messages.

SEO Spam: Hackers often inject spammy content and links into vulnerable websites, damaging the site’s search engine ranking and credibility.

Malware Distribution: Compromised websites are also used to spread malware to infect site visitors.

Critical RCE Vulnerabilities in Popular WordPress Plugins

Backup Migration RCE Flaw

A critical vulnerability (CVE-2023-6553) was found in a popular WordPress backup plugin called Backup Migration, which has over 80,000 active installations. Exploiting this vulnerability allows attackers to take full control of websites. All versions of the plugin up to 1.3.7 are vulnerable. An update (version 1.3.8) has been released that fixes this issue and users of Backup Migration are advised to update to the latest version immediately.

Bricks Builder RCE Flaw

There’s a critical vulnerability (CVE-2024-25600) in Bricks Builder, a popular page builder plugin (around 25,000 active installations), that allows hackers to take full control of websites. This vulnerability was discovered in February 2024 and a fix (version 1.9.6.1) was released shortly after. While there haven’t been confirmed attacks, users are strongly advised to update to the latest version (1.9.6.1) immediately to avoid being hacked.

PHP Everywhere Vulnerabilities in WordPress

PHP Everywhere is a popular plugin that allows users to insert custom PHP code in sidebar, pages, and posts in WordPress websites. The plugin is used on over 20,000 websites and was discovered with three remote code execution vulnerabilities that attackers can exploit. 

The most serious vulnerability (CVE-2022-24663) allows anyone who can register on a website (subscribers) to inject malicious code and potentially take over the entire website.

The other two vulnerabilities (CVE-2022-24664 and CVE-2022-24665) require more access (contributor level) but can still be dangerous.

These vulnerabilities were patched in version 3.0.0 of the plugin, released in January 2022.  However, many users haven’t updated and are still at risk. If you use PHP Everywhere, update to version 3.0.0 immediately. Also, version 3.0.0 removed support for the Classic Editor, so if your site uses the Classic Editor then you’ll need to find an alternative solution.

But a big reason to worry is that this plugin has now been permanently removed from WordPress after the author requested it. However, the WordPress sites that have this plugin installed can still use the plugin. But it is better if you find another similar plugin because no further updates will be available, including security fixes.

Mitigating RCE Vulnerabilities in WordPress

Regular Updates: Always keep all plugins, themes, and the WordPress core updated to the latest versions to fix known vulnerabilities.

Secure File Uploads: Use secure methods for file uploads, including validating file types and using dedicated directories with restricted permissions.

Web Application Firewalls (WAF): Apply a WAF to filter and block malicious requests before they reach the WordPress application.

 Security Plugins: Implement security plugins that offer features like malware scanning, firewall protection, and real-time monitoring. Services like Wordfence, Sucuri, or Jetpack can help in monitoring and protecting your site.

Least Privilege Principle: Implement the principle of least privilege, ensuring that users have the minimum permissions necessary to function, limiting potential damage from an exploit.

Additionally, you can follow these best security practices:

Limit Plugin Use: Minimize the number of plugins to reduce potential attack vectors. Deactivate and delete any plugins that are not actively in use.

Backup Regularly: Maintain regular backups of your website to restore functionality quickly in case of a successful attack.

Upgrading Issues and Challenges

While plugin updates fix vulnerabilities in WordPress sites, it can sometimes cause compatibility issues with other plugins, themes, or even the WordPress core, leading to site malfunctions or crashes. Another reason can be if the plugin drops support for the PHP version used on your server. As PHP evolves, newer versions come with improvements, and older versions are no longer maintained. To keep up with the latest PHP versions, plugins, themes, and WordPress itself, constantly release updates and gradually drop support for outdated PHP versions. 

For example, PHP 7.4 is no longer supported by the PHP development team after November 28, 2022. Any WordPress website running on the PHP 7.4 server is highly vulnerable due to the lack of security updates. Although WordPress still supports PHP 7.4, it displays the “PHP Update Required” warning and recommends users to upgrade PHP in WordPress to maintain website security. The currently supported PHP versions are PHP 8.1, 8.2, and 8.3, and WordPress has already included beta support for all of them.  

However, if you upgrade your WordPress PHP version to 8.x and your plugins and themes do not support PHP 8.x, you may encounter compatibility issues that can lead to site malfunctions or crashes. These issues can appear as error messages, broken functionality, or even a completely inaccessible website.

To avoid such problems, it’s crucial to ensure that all your plugins and themes are compatible with PHP 8.x before upgrading. You can do this by checking for updates from the developers or testing the new PHP version in a staging environment first. Some plugin developers may abandon their projects, leaving them vulnerable with no future updates.

Securing Outdated PHP in WordPress

In case your themes and plugins do not support PHP 8.x versions, you can utilize TuxCare’s Extended Lifecycle Support (ELS) for PHP to maintain website security. ELS for PHP offers security patches for older PHP versions that are no longer officially supported. This allows you to continue using your existing PHP in WordPress securely while giving you and your theme and plugin developers enough time to update the code for compatibility with PHP 8.x. 

Final Thoughts

Theme and plugin vulnerabilities in WordPress can be exploited by attackers to gain unauthorized access to your website, steal data, or inject malicious code. Keeping them updated is crucial for security, but it’s not always smooth sailing. Updates might introduce bugs that break your website’s functionality, requiring troubleshooting and compatibility checks.

Upgrading from an older version of PHP to PHP 8.x often requires massive code rewriting. It can be a complex and time-consuming process. TuxCare’s PHP Extended Lifecycle Support (ELS) allows you to stay on older PHP versions for longer and keep your existing PHP code and functionality without worrying about security risks.

Send questions to a TuxCare security expert to know how to get started with TuxCare’s PHP ELS.

The post Understanding the RCE Vulnerabilities in WordPress Plugins appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/understanding-the-rce-vulnerabilities-in-wordpress-plugins/