Threat Actor Claims 0-Day Vulnerability in Popular WordPress Plugin

Threat Actor: Unknown | Unknown
Victim: WordPress Plugin Users | WordPress Plugin Users
Price: $500 (for vulnerability details), $700 (for exploit with proof of concept)
Exfiltrated Data Type: 0-day vulnerability details

Key Points :

  • A threat actor claims to have discovered a 0-day vulnerability in a popular WordPress plugin with over 50 million downloads.
  • The vulnerability exploits broken access control, allowing attackers to create admin users under certain conditions.
  • The actor offers the vulnerability details for $500 and the exploit for $700, including a proof of concept.
  • The low price is attributed to the exploit requiring specific admin panel actions that users rarely perform.
  • There is uncertainty regarding the accuracy of the claims and whether patches exist to address the vulnerability.

A threat actor claims to have discovered a 0-day vulnerability in a WordPress plugin with over 50 million downloads. This vulnerability exploits broken access control, letting attackers create admin users under certain conditions. The actor offers the vulnerability details for $500 and the exploit for $700, including a proof of concept.

The actor explains the low price by noting that the exploit requires specific admin panel actions, which users rarely do. The claims indicate a potential risk, but it’s unclear if they’re accurate or if patches exist to fix this issue.

The post A Threat Actor Alleged 0-Day Vulnerability in Popular WordPress Plugin appeared first on Daily Dark Web.