A critical vulnerability has been identified in the bSecure plugin for WordPress, which could allow an unauthenticated attacker to gain full administrative control over an affected website. Successful exploitation of this flaw could lead to a complete site compromise, resulting in data theft, website defacement, or the distribution of malware to visitors. Due to the ease of exploitation and the high-impact nature of this vulnerability, immediate remediation is required.

The bSecure plugin for WordPress contains a privilege escalation vulnerability due to a missing authorization check in its order_info REST API endpoint. An unauthenticated attacker can send a specially crafted request to this endpoint to create a new user account with administrative privileges or escalate the privileges of an existing low-level account. This bypasses standard authentication and security measures, granting the attacker complete control over the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe business impact, including a complete compromise of the WordPress site's confidentiality, integrity, and availability. Potential consequences include the theft of sensitive customer data and order information, reputational damage from website defacement, and financial loss. A compromised website could also be leveraged to host phishing campaigns or malware, posing a security risk to customers and potentially leading to blacklisting by search engines.

Immediate Action: Immediately update the bSecure plugin for WordPress to the latest version (version 1.8.0 or newer) which addresses this vulnerability. After patching, review all user accounts, particularly those with administrative privileges, to ensure no unauthorized accounts have been created.

Proactive Monitoring: Review web server access logs for suspicious POST requests to the bSecure plugin's REST API endpoints, such as .../wp-json/bsecure/v1/order_info. Monitor for the creation of new administrative users or unexpected changes to user roles in WordPress security audit logs. Implement file integrity monitoring to detect unauthorized modifications to plugin or core WordPress files.

Compensating Controls: If patching is not immediately possible, consider implementing a Web Application Firewall (WAF) rule to block access to the vulnerable endpoint. As a last resort, temporarily disable the bSecure plugin until it can be safely updated to a patched version.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses an immediate and significant risk to the organization. We strongly recommend that all systems running the affected versions of the bSecure plugin be patched immediately. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion. Due to the high likelihood of future exploitation, organizations must prioritize this remediation activity to prevent a complete compromise of their web assets.