Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Active Attack on Zero Day in Custom Searchable Data Entry System Plugin

This entry was posted in Vulnerabilities, WordPress Security on March 6, 2020 by Ram Gall   2 Replies

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.

We have reached out to the plugin developer, however the plugin does not appear to be actively maintained. The last update occurred approximately one year ago.

We have released a firewall rule to protect against exploitation of this flaw. Wordfence Premium users have received this rule already, and users still on the free version of Wordfence will receive the rule in 30 days.

Attackers are currently abusing this exploit. As such, if you are not using Wordfence Premium, we recommend that you deactivate and delete this plugin from your sites and look for an alternative as a patch is not currently available.

The vulnerability in this plugin is being actively exploited, and the Wordfence Threat Intelligence team has seen over 10,000 active exploit attempts over the last few days in our attack data.

We are not disclosing further details about this vulnerability until we can determine feasibility of a fix by the plugin author.

Why We Are Disclosing Today

There is an active attack campaign underway that is targeting WordPress websites and exploiting this vulnerability. We made the decision to disclose the existence of this vulnerability now so that the global WordPress community can take steps to protect themselves immediately.

Update 03/12/2020

In response to our disclosure, the developer of the Custom Searchable Data Entry System plugin has removed it from the wordpress.org repository, and at this time it is no longer available for download. We’re also pleased to announce that, after a brief spike, attacks against this plugin have significantly diminished. As a reminder, we recommend deactivating and deleting this plugin from your WordPress installation as it is vulnerable and no longer maintained.

Special thanks to our Director of Threat Intelligence, Sean Murphy, who discovered the attack.

Did you enjoy this post? Share it!

2 Comments on "Active Attack on Zero Day in Custom Searchable Data Entry System Plugin"

Reese Irish March 9, 2020 at 1:37 pm

Can i add a rule to Wordfence to have the plugin work on our site again? We need this plugin active and it appears i cannot turn it back on or re-install it:

Unpacking the package…

Installing the plugin…

Could not create directory.. /.../......./wp-content/plugins/custom-searchable-data-entry-system/css

Plugin installation failed.

Ram Gall March 10, 2020 at 2:10 pm

Hi Reese!

Wordfence shouldn't be preventing you from installing or activating the Custom Searchable Data Entry System plugin - if you deactivated and deleted it earlier, it's possible that it wasn't fully deleted, so the install might be failing because the directory already exists. If this is the case you'd want to access your site via FTP or file manager and fully delete the wp-content/plugins/custom-searchable-data-entry-system/ folder before reinstalling.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates