Hackers Exploit WordPress Plugin File Upload Flaw

Hackers are exploiting a critical vulnerability (CVE-2024-6220) in the WordPress plugin 简数采集器 (Keydatas) that allows unauthenticated users to upload arbitrary files, risking remote code execution and full site takeover.

On June 18, 2024, during Wordfence’s 0-day Threat Hunt Promo, researcher Foxyyy discovered and reported a vulnerability in the Keydatas plugin, affecting over 5,000 installations. The flaw was confirmed quickly, with active exploitation attempts noted within days.

All about the flaw – CVE-2024-6220­ 

Wordfence Intelligence reports a critical flaw in the 简数采集器 (Keydatas) plugin for WordPress, affecting all versions up to 2.5.2. CVE-2024-6220 allows unauthenticated arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function.

The Keydatas plugin links a WordPress site with the keydatas.com app for managing posts. Its keydatas_post_doc() function has a password check, but the default password is “keydatas.com”.

The function downloads files from the __kds_docImgs request parameter using file_get_contents() and uploads them to the WordPress uploads directory with file_put_contents(). Without checks for file types or extensions, attackers can upload malicious PHP files, compromising sites.

Top Attacking IP Addresses:

• 103.233.8.166 (Hong Kong)
• 103.233.8.0 (Hong Kong)
• 163.172.77.82 (France)
• 84.17.37.217 (Hong Kong)
• 84.17.57.0 (Hong Kong)

Wordfence Premium, Care, and Response users received a firewall rule on June 20, 2024. Free users got protection on July 20, 2024. After no response from the Keydatas team, the issue was escalated to the WordPress.org Security Team, leading to the plugin’s closure on July 16, 2024.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!