Wordfence published a writeup of a vulnerability chain — arbitrary file read combined with SQL injection — affecting more than a million WordPress installs through a single popular plugin. The original advisory is on the Wordfence Medium (source).

What the bugs actually do

Two issues, chained:

  • Arbitrary file read — an unauthenticated request can pull file contents off the server. Once you can read wp-config.php, you have the database credentials and the secret keys used to sign WordPress auth cookies.
  • SQL injection — input flows from a request into a query without being parameterised. The attacker doesn't even need the leaked credentials; they can use the SQL injection directly to read or modify the database.

Either bug alone is a problem. Chained, the attacker can read wp-config.php, use the credentials to log into the database directly (if that's exposed) or use the SQLi to insert an administrator account and log in through the front door.

How to tell if you're affected

  1. Confirm which version of the plugin is installed. Wordfence's advisory names the fixed version — anything earlier is vulnerable.
  2. Look at recent admin-user creations: SELECT user_login, user_registered FROM wp_users ORDER BY user_registered DESC LIMIT 10; Anything you don't recognise after the vulnerability went public should be investigated.
  3. Check your access logs for the URL pattern used in the disclosure (the Wordfence writeup includes the request shape). A search for that pattern across the last 90 days of logs will tell you whether anyone tried it.

What to do

  • Update the plugin to the patched version. Don't deactivate-and-forget — deactivated code still ships on disk, and attackers can sometimes coerce it to run.
  • Rotate WordPress auth keys (the AUTH_KEY, SECURE_AUTH_KEY, etc. constants in wp-config.php). If wp-config.php was readable, those values are no longer secret.
  • Rotate the database password.
  • If you find an admin user you didn't create, treat the site as compromised: full forensic audit, malware scan, integrity check of wp-includes/ and wp-admin/, and a fresh installation of plugins from known-good sources.

If any of that turns up findings you can't explain, open an engagement — we walk the diffs, look at the database, and write up what we found.

Source: Wordfence — 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities.