The Wordfence Intelligence team revealed the details of a vulnerability in External Media, a WordPress plugin used by 8,000+ sites.
This flaw allowed authenticated attackers to upload arbitrary files, which could then be used to achieve remote code execution and complete site takeover.
On February 2, 2021, the Wordfence team contacted the plugin’s creator for the first time. After several minor updates and follow-ups with the developer, a completely patched version, version 1.0.34, was released.
External Media is a WordPress plugin that allows users to upload media files from other sources. Unfortunately, the plugin had a flaw that enabled authenticated low-level users, such as subscribers, to upload PHP files from untrusted sources.
Moments ago, the Wordfence Threat Intelligence team published details about a vulnerability that was discovered & patched in External Media, a plugin installed on approximately 8,000 sites. Full details on the official Wordfence blog.https://t.co/B7GBKZHPJP— Wordfence (@wordfence) May 13, 2021
“This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, v1.0.34, immediately.”, Wordfence said in a blog post.