A highly critical vulnerability has been disclosed in the plugin, affecting over 100,000 websites. The vulnerability has a CVSS score of 9.9 (Critical), allowing attackers to bypass authentication and gain administrative control over the affected websites. Both the free and paid versions of the plugin (formerly known as ) are affected.

is a widely used plugin designed to enhance the security of sites through features such as vulnerability detection, login protection, and two-factor authentication. However, a flaw exists in the function used for authentication, which fails to properly verify user identities. This oversight allows unauthorized attackers to bypass security measures and gain administrative access.

The vulnerability affects the free, pro, and pro multi-site versions of the plugin from version .. to ....

The vulnerability was discovered by the threat intelligence team (specifically researcher ) on during routine analysis. "This is one of the more severe vulnerabilities we have reported in our years as a security provider," the researchers warned in their article.

The issue stems from improper error handling in the plugin's two-factor authentication feature. Exploiting this vulnerability, an attacker can log in remotely as any user, including administrators, if two-factor authentication is enabled. This feature is disabled by default, but many users enable it for security reasons, resulting in the opposite effect in this scenario.

Contacted the team immediately and released a patched version for professional users on [date], followed by a free version on [date]. To mitigate the risk, a mandatory update was initiated for the affected plugin versions, a rare measure that underscores the severity of the vulnerability.

Site administrators without a valid plugin license are advised to manually verify their update status, as automatic updates may not be applicable to these installations. To mitigate this critical vulnerability, website administrators should verify the success of mandatory updates through the admin dashboard and ensure they are using the .. version. If updates cannot be applied, it is recommended to temporarily disable two-factor authentication until the patch is applied.

For managed service providers, it is recommended to enforce updates and scan the hosting environment for vulnerable versions. Website owners are encouraged to spread awareness within the community to ensure that unmaintained websites receive updates in a timely manner.

author-gravatar

Author: Emma

An experienced news writer, focusing on in-depth reporting and analysis in the fields of economics, military, technology, and warfare. With over 20 years of rich experience in news reporting and editing, he has set foot in various global hotspots and witnessed many major events firsthand. His works have been widely acclaimed and have won numerous awards.

This post has 5 comments:

Leave a comment: