A command injection vulnerability has been found in the renowned personal blogging and website creation management platform: WordPress. The vulnerability is found to exist in the Plainview Activity Monitor WordPress Plugin component, and it has been assigned a CVE identifier of CVE-2018-15877.
The command injection vulnerability found in the Plainview Activity Monitor plugin for WordPress renders it at severe risk of catering to a remote attacker executing commands on a hacked system from afar. The malicious commands injected throw unfit data into the stream of the service, particularly through the IP parameter and into the activities_overview.php.
This command injection vulnerability in the said component is not remotely exploitable on its own. Unfortunately, the same component plugin on WordPress suffers from two other vulnerabilities: a CSRF attack vulnerability, and a reflected cross site scripting vulnerability. When all three of these vulnerabilities work hand in hand to be exploited together, an attacker is able to remotely execute commands on another user’s system, granting undue and unauthorized access to the user’s private data.
According to the researched details released by WordPress, the vulnerability was first discovered on the 25th of August this year. A CVE identifier label was requested the very same day and then the vulnerability was reported to WordPress the following day as part of a mandatory vendor’s notice. WordPress was quick on its feet to release a new version for the component plug in, version 20180826. This new version is expected to resolve the vulnerability which was found to exist in versions 20161228 and older of the Plainview Activity Monitor plugin.
This vulnerability was thoroughly discussed and described in a post on GitHub where a proof of concept for the potential correlated exploit is also provided. To mitigate the risks posed, WordPress users are urged to update their systems to that the newest version of the Plainview Activity Monitor plugin is in use on their systems.