In a significant security alert, Wordfence, a leading security service for WordPress websites, reported a severe SQL Injection vulnerability in the widely used WordPress plugin Better Search Replace. The vulnerability was identified as critical with a 9.8 score and was fixed in version 1.4.5:
”Security: Unserializing an object during search and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database (thanks to Wordfence for responsible disclosure on December 18, 2023, followed by development and testing of the fix by WP Engine).”
The vulnerability identified in the Better Search Replace plugin refers to PHP Object Injection, affecting all versions up to and including 1.4.4. The core issue lies in the deserialisation of untrusted input. It can allow unauthenticated attackers to inject harmful PHP Objects into the website. This vulnerability is particularly alarming as it can enable attackers to manipulate the website’s data and functionality without requiring authentication credentials.
The Better Search Replace plugin itself does not contain a PHP Object Injection (POP) chain. However, the presence of another vulnerable plugin or theme installed on the target system could escalate the threat. In such cases, attackers could take advantage of the vulnerability to perform destructive actions. Like deleting arbitrary files, collecting sensitive data, or executing malicious code. This increases the risk for websites that use a combination of plugins and themes, which is a common practice in WordPress environments.
Another similar case happened last year, where over 4 million websites were affected by a stored Cross-Site Scripting vulnerability in the LightSpeed Cache plugin. The issue could let hackers upload malicious scripts by exploiting a shortcode functionality. The vulnerability was later solved in a newer version of the plugin.
Summing up
Looking ahead, cybercrime is estimated to cost the world $10.5 trillion annually by 2025. And in 2020, the FBI got more than 2,000 complaints about internet crimes daily, with people losing over $4.2 billion.
The incidents serve as a reminder to all website owners to regularly update their plugins, themes, or any software used. Be vigilant and stay informed about all potential vulnerabilities to protect yourself against evolving cyber threats!
To the Newspaper Theme users, please make sure to keep the plugins, theme and WordPress updated to the latest version. Use a security plugin, like Wordfence and conduct regular WordPress security scans.
To ensure your website is up to date, you can always check the changelog. Also, you can find all the new features and improvements added with each update. If you find it challenging and need help updating your website, get in touch with us. Starting from $59*, we can assure you of a smooth and hassle-free update process. Stay safe!
*child theme and custom code adaptation will involve extra cost.