Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.
We initially attempted to reach out to the plugin vendor on August 9, 2021 and made a few additional attempts to get in contact with the vendor over the next few weeks. As the vendor failed to respond after 2 weeks despite multiple contact attempts, we escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version