The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.
We have released a firewall rule to protect against exploitation of this flaw. Wordfence Premium users have received this rule already, and users still on the free version of Wordfence will receive the rule in 30 days.
More details on the blog.
Ram Gall – Wordfence Senior QA