Active Attack on Zero Day in Custom Searchable Data Entry System Plugin

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.

We have reached out to the plugin developer, however the plugin does not appear to be actively maintained. The last update occurred approximately one year ago.

We have released a firewall rule to protect against exploitation of this flaw. Wordfence Premium users have received this rule already, and users still on the free version of Wordfence will receive the rule in 30 days.

Attackers are currently abusing this exploit. As such, if you are not using Wordfence Premium, we recommend that you deactivate and delete this plugin from your sites and look for an alternative as a patch is not currently available.

The vulnerability in this plugin is being actively exploited, and the Wordfence Threat Intelligence team has seen over 10,000 active exploit attempts over the last few days in our attack data.

We are not disclosing further details about this vulnerability until we can determine feasibility of a fix by the plugin author.

Why We Are Disclosing Today

There is an active attack campaign underway that is targeting WordPress websites and exploiting this vulnerability. We made the decision to disclose the existence of this vulnerability now so that the global WordPress community can take steps to protect themselves immediately.

Update 03/12/2020

In response to our disclosure, the developer of the Custom Searchable Data Entry System plugin has removed it from the wordpress.org repository, and at this time it is no longer available for download. We’re also pleased to announce that, after a brief spike, attacks against this plugin have significantly diminished. As a reminder, we recommend deactivating and deleting this plugin from your WordPress installation as it is vulnerable and no longer maintained.

Special thanks to our Director of Threat Intelligence, Sean Murphy, who discovered the attack.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

2 Comments
  • Can i add a rule to Wordfence to have the plugin work on our site again? We need this plugin active and it appears i cannot turn it back on or re-install it:

    Unpacking the package…

    Installing the plugin…

    Could not create directory.. /.../......./wp-content/plugins/custom-searchable-data-entry-system/css

    Plugin installation failed.

    • Hi Reese!

      Wordfence shouldn't be preventing you from installing or activating the Custom Searchable Data Entry System plugin - if you deactivated and deleted it earlier, it's possible that it wasn't fully deleted, so the install might be failing because the directory already exists. If this is the case you'd want to access your site via FTP or file manager and fully delete the wp-content/plugins/custom-searchable-data-entry-system/ folder before reinstalling.