Wordpress Serious Wordpress Vulnerability Revealed

BamaStangGuy · Jun 27, 2018

WARNING: WordPress File Delete to Code Execution

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.

eva2000 · Jun 27, 2018

thanks for the heads up, though you'd already be in a compromising position to be able to take advantage of this vulnerability

Who is affected
At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.

For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.
Click to expand...

Jon Snow · Jun 27, 2018

I never allow people to sign up to my wordpress install and I only give accounts out to people I trust. Wordpress generates a strong password so I'm not too worried about this.

eva2000 · Jun 28, 2018

Yeah being a sole single owner/admin managing servers and sites is alot easier. Though in Wordpress case I am sure it's pretty common to have more than one Author role assigned user to a Wordpress install. Guess this is where the vulnerability opens up.

If you have more than one Author/owner on Wordpress blog, probably good idea to enable a two factor authentication (2FA) plugin for user logins too in case those accounts get compromised.

eva2000 · Jun 29, 2018

Someone on Reddit made a plugin for this patch r/PHP - Unpatched WordPress vulnerability allows code execution for authors - PHP coders can inspect it at kkarpieszuk/rips_hotfix

eva2000 · Jul 6, 2018

looks like the reveal forced WP's hands WordPress 4.9.7 Security and Maintenance Release

WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.

Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.

Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were:

Taxonomy: Improve cache handling for term queries.

Posts, Post Types: Clear post password cookie when logging out.

Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.

Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.

Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

Click to expand...

eva2000 · Jul 7, 2018

and more at WordPress Update – 4.9.7 Security & Maintenance Release

Included in this release is a patch that protects against a vulnerability allowing bad actors to delete files from your site. If certain circumstances are met, this vulnerability may be enough for an attacker to completely take control of your website.

Are You at Risk?
If you don’t have automatic updates enabled or are using WordPress version 4.9.6 or earlier, your site may be vulnerable to this security issue originally reported by Slavco.

Technical Details
As mentioned in the original full disclosure article, the media editor page relies on user input to specify what file to delete when removing an attachment from the site. This may allow bad actors to delete files outside of the uploads directory and potentially take control of your website.

Due to the nature of this editor, this bug can only be exploited by users with file upload privileges Author or higher.

In order to take over a site using this vulnerability, an attacker needs to remove important files from the site’s directory, such as wp-config.php. This would force WordPress to run its installation scripts again, but using the attacker’s information instead.
Click to expand...

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Wordpress Serious Wordpress Vulnerability Revealed

BamaStangGuy Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Wordpress Serious Wordpress Vulnerability Revealed

BamaStangGuy Active Member

eva2000 Administrator Staff Member

Jon Snow Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.