Connect with us

Hi, what are you looking for?



Unpatched WordPress Flaw Leads to Site Takeover, Code Execution

A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.

A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.

The security flaw supposedly impacts all WordPress versions, including the latest 4.9.6 iteration. An attacker looking to exploit the issue would first have to gain privileges to edit and delete media files.

“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.

An attacker targeting the vulnerability can delete any file of the WordPress installation, as well as any file on the server the PHP process user has permissions to delete files from. An attacker could erase an entire WordPress installation and could also circumvent security measures to execute arbitrary code on the server.

Files that can be deleted include .htaccess (which may contain security related constraints), index.php files (granting an attacker a listing of all files in the WordPress directories), and wp-config.php (which contains the database credentials).

Deleting wp-config.php triggers the WordPress installation process on the next visit to the website, which allows the attacker to undergo the installation process and use admin credentials of their choice, thus being able to execute arbitrary code on the server.

The security researcher reported the vulnerability to WordPress in November last year, via HackerOne. The WordPress security team triaged and verified the issue soon after receiving the report, but no patch has been released to date, although they apparently estimated in January that a fix would become available within six months.

Advertisement. Scroll to continue reading.

A hotfix available from RIPS Technologies can be integrated by site admins into existing WordPress installations by adding it to the functions.php file of the active theme. By making sure that the data provided for the meta-value thumb does not contain code that would make path traversal possible, the hotfix prevents security-relevant files from being deleted.

“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies notes.

Because it requires a user account, the vulnerability cannot be abused for the exploitation of arbitrary WordPress sites at scale. However, websites that share multiple user accounts should apply a hotfix, El Ouerghemmi points out.

Related: WordPress Disables Plugins That Expose e-Commerce Sites to Attacks

Related: One Computer Can Knock Almost Any WordPress Site Offline

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.