The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.
We have reached out to the plugin developer, however the plugin does not appear to be actively maintained. The last update occurred approximately one year ago.
We have released a firewall rule to protect against exploitation of this flaw. Wordfence Premium users have received this rule already, and users still on the free version of Wordfence will receive the rule in 30 days.
Attackers are currently abusing this exploit. As such, if you are not using Wordfence Premium, we recommend that you deactivate and delete this plugin from your sites and look for an alternative as a patch is not currently available.
The vulnerability in this plugin is being actively exploited, and the Wordfence Threat Intelligence team has seen over 10,000 active exploit attempts over the last few days in our attack data.
We are not disclosing further details about this vulnerability until we can determine feasibility of a fix by the plugin author.
Why We Are Disclosing Today
There is an active attack campaign underway that is targeting WordPress websites and exploiting this vulnerability. We made the decision to disclose the existence of this vulnerability now so that the global WordPress community can take steps to protect themselves immediately.
In response to our disclosure, the developer of the Custom Searchable Data Entry System plugin has removed it from the wordpress.org repository, and at this time it is no longer available for download. We’re also pleased to announce that, after a brief spike, attacks against this plugin have significantly diminished. As a reminder, we recommend deactivating and deleting this plugin from your WordPress installation as it is vulnerable and no longer maintained.
Special thanks to our Director of Threat Intelligence, Sean Murphy, who discovered the attack.