Prominent vulnerability broker Zerodium says it is temporarily tripling payouts for exploits for WordPress vulnerabilities that enable remote code execution on the latest versions of the CMS.
The company now assesses such vulnerabilities and exploits for them at $300,000 (versus the usual $100,000).It is known that the increase in payments will be temporary, but Zerodium has not yet disclosed either the reason for this decision, or the date of the end of this “campaign”.
As with other similar exploits, the WordPress exploit should work on a clean CMS installation with default configuration, without requiring authentication or user interaction for the attack. That is, exploiting vulnerabilities in third-party plugins, no matter how popular and widespread they are, will not work.
Let me remind you that attacks on WordPress plugins are becoming more widespread. I wrote that In the File Manager plugin has been discovered a dangerous vulnerability, which is used by over 700,000 WordPress-based resources and which allows executing commands and malicious scripts on vulnerable sites.
May be also necessary to recall that Wordfence discovered a massive attack on WordPress sites. Attackers are actively looking for WordPress sites that use themes with the Epsilon Framework, which can be vulnerable to a number of function injection problems, and which can ultimately lead to a complete compromise of the resource.
It is worth noting that Zerodium offers the highest payouts for RCE exploits targeting Windows ($1,000,000) and exploits that can give an attacker full control over mobile devices ($2,500,000 for Android and $2,000,000 for iOS).
Let me also remind you that on Twitter, a well-known vulnerability broker, Zerodium, reported that the company would not buy new exploits for vulnerabilities in iOS.