Thousands of WordPress sites are vulnerable to takeover through a critical flaw in a widely used user registration plugin. Although the developer has released an update, most websites have not yet installed it. The vulnerability resides in the User Registration plugin, which allows WordPress sites to customize user registration pages and create user profile pages. Over 60,000 WordPress sites rely on this plugin.
It has been discovered that User Registration employs a hardcoded encryption key that is the same across all plugin installations. Additionally, it fails to validate certain file types when uploading profile images properly. As a result, an attacker could upload malicious PHP code disguised as a “profile image” and take control of the website. The developer was alerted to the vulnerability by researchers from security firm Wordfence on June 19th.
A security update was released on June 29th but did not fully address the issue. However, a fully functional patch was released on July 4th. According to WordPress data, out of the 60,000+ WordPress sites using the plugin, only 24,000 are up to date. Administrators who have not installed the latest version are urged to do so promptly, as Wordfence has publicly disclosed details about the vulnerability.