%20(1)%20(1).webp "Vulnerability in WordPress Plugin Allows Arbitrary File Upload")
Hackers have been taking advantage of a critical vulnerability in the WordPress plugin 简数采集器 (Keydatas), leading to a potential takeover of vulnerable sites through remote code execution.
The vulnerability, known as CVE-2024-6220, enables threat actors to upload arbitrary files to a vulnerable site without authentication. This loophole poses a significant security risk, emphasizing the importance of maintaining updated plugins and implementing robust security measures.
The discovery of this vulnerability came to light on June 18, 2024, during the 0-day Threat Hunt Promo of Wordfence’s Bug Bounty Program. A researcher known as Foxyyy identified and responsibly reported the flaw in the Keydatas plugin, which has more than 5,000 active installations. Following the discovery, active exploitation attempts were promptly observed.
According to Wordfence Intelligence, the vulnerability affects all versions of the 简数采集器 (Keydatas) plugin up to and including 2.5.2. The missing file type validation in the keydatas_downloadImages function allows unauthenticated arbitrary file uploads, making it easier for attackers to compromise vulnerable sites.
The technical analysis of the Keydatas plugin revealed that the password used for its keydatas_post_doc() function is set to a default value of “keydatas.com.” If site owners fail to change this password, attackers can exploit the vulnerable keydatas_downloadImages() function to upload malicious files, potentially leading to complete site takeover.
The lack of file type or extension checks in the plugin’s code allows attackers to upload harmful PHP files, posing a serious risk to website security. This vulnerability has already attracted the attention of threat actors, as shown by the top attacking IP addresses originating from locations such as Hong Kong and France.
In response to this critical security flaw, Wordfence Premium, Care, and Response users received a firewall rule on June 20, 2024, to protect against the vulnerability. Free users were provided with the same protection on July 20, 2024. Despite attempts to contact the Keydatas team, the lack of response led to the escalation of the issue to the WordPress.org Security Team, resulting in the temporary closure of the plugin on July 16, 2024.
A patch was ultimately released on July 29, 2024, with users strongly advised to update to the latest patched version, 2.6.1, without delay. Regularly updating plugins, conducting vulnerability scans, and implementing robust firewall protection are crucial steps to safeguard websites against such exploitations.
The active exploitation of the CVE-2024-6220 vulnerability in the Keydatas plugin serves as a stark reminder of the continuous vigilance required to maintain website security. By staying informed and proactive, website owners can effectively protect their sites from malicious attacks, contributing to a safer online environment for all users.