The remote code execution vulnerability has now been fixed
According to the security researchers at Wordfence, the plugin has been installed on more than 100,000 websites that use WordPress and was found weak to two severe flaws. The first one allowed was a file upload vulnerability that would have let threat actors remotely execute malicious code and the second was a vulnerability to a double extension attack through which a file with multiple extensions could be used to trigger code.
file[page_template] to the path of the uploaded file."
This would have allowed the actor to take control of the site by obtaining credentials or by remotely executing a code in the administrator's browser session.
The second vulnerability allowed authors and other users to perform a double extension attack. For instance, "it was possible to upload a file titled
info.php.png. This file would be executable on certain Apache/mod_php configurations that use an
Both of the vulnerabilities have been fixed by the plugin's developer.