A threat actor claims to have discovered a 0-day vulnerability in a WordPress plugin with over 50 million downloads. This vulnerability exploits broken access control, letting attackers create admin users under certain conditions. The actor offers the vulnerability details for $500 and the exploit for $700, including a proof of concept.
The actor explains the low price by noting that the exploit requires specific admin panel actions, which users rarely do. The claims indicate a potential risk, but it’s unclear if they’re accurate or if patches exist to fix this issue.
