A file removal flaw that leftover unfixed seven months after being informed permits for the whole coup of WordPress websites and for random code implementation. The security vulnerability apparently influences entire WordPress versions, containing the modern 4.9.6 restatement. A hacker is looking to exploit the concern would initially have to acquire rights to perform changes likely edit or delete the media files.
“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” RIPS Technologies’ Karim El Ouerghemmi explains.
The hacker aiming the flaw can erase any file type of the WordPress installation, any file on the server as well, the PHP progression user has authorizations to erase files from. The hacker could delete complete WordPress installation as well and could merely avoid security actions to implement random code on the server. The files that can be erased easily comprise .htaccess (which may enclose security associated limitations), index.php files (allowing a hacker item of entire files in the WordPress directories), and wp-config.php (which includes the database credentials).
Erasing wp-config.php activates the WordPress installation procedure on the following visit to the website, which permits the hacker to experience the installation procedure and practice admin credentials of their selection, therefore being capable to perform random code on the server. The security investigator informed the flaw to WordPress in November previous year, via HackerOne. The WordPress security group triaged and proved the matter rapidly after acquiring the report, however no fix has been announced to date, although they seemingly projected in January that a patch would develop available within six months.
A hotfix accessible from RIPS Technologies can be combined by website admins into present WordPress installations by accumulating it to the functions.php file of the active theme. It is to ensure that the data facts delivered for the meta-value thumb does not include code that would mark path traversal probable, the hotfix avoids security-relevant files from being erased.
“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advice to make any modifications to your WordPress files with caution,” RIPS Technologies notes.
Since it needs a user account, the flaw cannot be harmed for the mistreatment of random WordPress websites at balance. But, websites that segment numerous user accounts should relate a hotfix, El Ouerghemmi points out.