A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.
The security flaw supposedly impacts all WordPress versions, including the latest 4.9.6 iteration. An attacker looking to exploit the issue would first have to gain privileges to edit and delete media files.
“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.
An attacker targeting the vulnerability can delete any file of the WordPress installation, as well as any file on the server the PHP process user has permissions to delete files from. An attacker could erase an entire WordPress installation and could also circumvent security measures to execute arbitrary code on the server.
Files that can be deleted include .htaccess (which may contain security related constraints), index.php files (granting an attacker a listing of all files in the WordPress directories), and wp-config.php (which contains the database credentials).
Deleting wp-config.php triggers the WordPress installation process on the next visit to the website, which allows the attacker to undergo the installation process and use admin credentials of their choice, thus being able to execute arbitrary code on the server.
The security researcher reported the vulnerability to WordPress in November last year, via HackerOne. The WordPress security team triaged and verified the issue soon after receiving the report, but no patch has been released to date, although they apparently estimated in January that a fix would become available within six months.
A hotfix available from RIPS Technologies can be integrated by site admins into existing WordPress installations by adding it to the functions.php file of the active theme. By making sure that the data provided for the meta-value thumb does not contain code that would make path traversal possible, the hotfix prevents security-relevant files from being deleted.
“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies notes.
Because it requires a user account, the vulnerability cannot be abused for the exploitation of arbitrary WordPress sites at scale. However, websites that share multiple user accounts should apply a hotfix, El Ouerghemmi points out.
Related: WordPress Disables Plugins That Expose e-Commerce Sites to Attacks
Related: One Computer Can Knock Almost Any WordPress Site Offline