A new vulnerability has been published on June, the 26th 2018 by RIPS’ teams on the core components of WordPress CMS.
It affects all WordPress versions (up to the latest stable 4.9.6) and no official fix has been provided yet.
RIPS teams published a temporary fix in their original article.
The severity of this vulnerability is rated as Major by the CERT (partly due to the lack of official patch).
This vulnerability requires authentication as an author role (to get edit and delete rights on media files) to be exploited.
It gives an attacker arbitrary file deletion capacity on the web server (with respect to the PHP user’s permissions).
Denial of service is an important risk in this scenario but an attacker can also :
- Disable security functionalities set up in files (.htaccess, index.php…)
- Hijack the website via a forced reinstall (wp-config.php, showed in the example video)
The vulnerable code snippet (lack of proper user input filtering) is located in wp-includes/post.php. Technical details can be retrieved in the original article.
According to RIPS’ teams, this vulnerability has been reported to WordPress teams on November, the 20th 2017 and has not been patched 7 months later.
Devoteam CERT recommends, while the official patch remains unavailable, to carry a permission review to identify potential attackers in the user database. It is also advised to monitor closely logs and execute automated backups more frequently.