A file deletion vulnerability that remains unpatched 7 months after being reported allows for the complete takeover of WordPress sites and for arbitrary code execution.
The security flaw supposedly impacts all WordPress versions, including the latest 4.9.6 iteration. An attacker looking to exploit the issue would first have to gain privileges to edit and delete media files.
“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.
An attacker targeting the vulnerability can delete any file of the WordPress installation, as well as any file on the server the PHP process user has permissions to delete files from. An attacker could erase an entire WordPress installation and could also circumvent security measures to execute arbitrary code on the server.
Files that can be deleted include .htaccess (which may contain security related constraints), index.php files (granting an attacker a listing of all files in the WordPress directories), and wp-config.php (which contains the database credentials).
Deleting wp-config.php triggers the WordPress installation process on the next visit to the website, which allows the attacker to undergo the installation process and use admin credentials of their choice, thus being able to execute arbitrary code on the server.
The security researcher reported the vulnerability to WordPress in November last year, via HackerOne. The WordPress security team triaged and verified the issue soon after receiving the report, but no patch has been released to date, although they apparently estimated in January that a fix would become available within six months.
A hotfix available from RIPS Technologies can be integrated by site admins into existing WordPress installations by adding it to the functions.php file of the active theme. By making sure that the data provided for the meta-value thumb does not contain code that would make path traversal possible, the hotfix prevents security-relevant files from being deleted.
“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies notes.
Because it requires a user account, the vulnerability cannot be abused for the exploitation of arbitrary WordPress sites at scale. However, websites that share multiple user accounts should apply a hotfix, El Ouerghemmi points out.
Related: WordPress Disables Plugins That Expose e-Commerce Sites to Attacks
Related: One Computer Can Knock Almost Any WordPress Site Offline
More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
