Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Hackers are targeting a WordPress security flaw that was supposed to have been fixed

Wordpress brand logo on computer screen. Man typing on the keyboard.

Researchers recently observed a known, and apparently fixed vulnerability, being abused in the wild to steal login credentials for WordPress websites.

Cybersecurity researchers from Plugin Vulnerabilities, an organization that monitors flaws in WordPress plugins, reported a hacker trying to exploit an arbitrary file viewing vulnerability in the WP Compress plugin.

WP Compress is a plugin that promises to fix slow load times by compressing the images found on the website. By improving load times, the developers say the sites will perform better in search engine rankings. This can also prevent visitors from leaving the page.

No CVE record

By abusing the vulnerability, the hacker was trying to view the contents of the WordPress configuration files which, among other things, also contains the database credentials for the website.

A deeper investigation revealed that the vulnerability is being tracked as CVE-2023-6699, but the record is empty. On the National Institute of Standards and Technology website, it says “although a CVE ID may have been assigned by either CVE or a CNA, it will not be available in the NVD if it has a status of RESERVED by CVE.” 

The CVE site, on the other hand, says, “This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”

Plugin Vulnerabilities further explains that this is problematic because many IT teams rely on information from CVE to keep track of vulnerabilities. With no information provided, many websites are in the dark about the potential vulnerability they’re carrying. 

However, the flaw was apparently fixed on December 13 2023. Those using the plugin should make sure they update it to version 6.10.34.

“The lack of CVE records being filled out in a timely manner is an issue that has been known to CVE for some time, but they haven’t addressed,” the researchers have stressed.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.