A critical vulnerability in all but the most-recent WordPress versions has been revealed by security firm RIPS Tech. The vulnerability allows an unauthenticated attacker to hijack a logged-in administrator’s account to run arbitrary code on the target site.
RIPS Tech report that ‘the vulnerabilit[y] exist[s] in WordPress versions prior to 5.1.1 and is exploitable with default settings.’ The exploit relies on an attacker being able to post comments to the target site, with RIPS Tech adding that ‘comments are a core feature of blogs and are enabled by default’, meaning that ‘the vulnerability affected millions of sites.’
WordPress applies security updates automatically by default, but some users may have disabled this functionality. If so, an updated version of WordPress must be installed immediately. RIPS Tech also advice that, in future, users ‘make sure to logout of your administrator session before visiting other websites.’