A recently disclosed vulnerability in the WordPress CMS Core could be exploited to escalate privileges, remotely execute code, and take full control of a WordPress site.
The vulnerability was discovered by security researchers at RIPS Technologies who reported the flaw to WordPress in November 2017. The WordPress team confirmed that the flaw existed but said it could take around 6 months to patch the flaw. Seven months on and the vulnerability has still not been fixed.
According to the researchers, the vulnerability affects all WordPress versions, including the latest release of the popular content management system, version 4.9.6.
The vulnerability is present in the WordPress CMS in one of the PHP functions that deletes thumbnails for images uploaded to WordPress sites.
The vulnerability could only be exploited by an individual who has a user account on the site, which limits the potential for exploitation of the flaw. However, all that is required is a low-privilege user account on the site that allows a user to create posts and manage images and thumbnails. With such an account, the user could escalate privileges and pull off an attack and take full control of the site.
It would be possible for an attacker to delete any file in the WordPress installation including the .htaccess file. The researchers note that the attacker could delete the wp-config.php file, re-initiate the installation process, and install WordPress on the site with their own database settings and insert their own content on the site.
RIPS Technologies is offering a hotfix to prevent the flaw from being exploited until a patch is released by WordPress. The hotfix can be integrated into the functions.php file of the active theme, which would prevent security-relevant files from being deleted.
“All the provided Hotfix does is to hook into the wp_update_attachement_metadata() call and making sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible,” said RIPS. However, they did note that the hotfix should be applied with caution as “We cannot oversee all possible backwards compatibility problems with WordPress plugins.”