Unpatched WordPress Flaw Gives Attackers Full Control Over Your Site

Bycyberonesol

Unpatched WordPress Flaw Gives Attackers Full Control Over Your Site

Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.

Discovered by researchers at RIPS Technologies GmbH, the “authenticated arbitrary file deletion” vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.

The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image.

Researchers find that the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins.

The requirement of at least an author account automatically reduces the severity of this flaw to some extent, which could be exploited by a rogue content contributor or a hacker who somehow gains author’s credential using phishing, password reuse or other attacks.

Researchers say that using this flaw an attacker can delete any critical files like “.htaccess” from the server, which usually contains security-related configurations, in an attempt to disable protection.

Besides this, deleting “wp-config.php” file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.

However, it should be noted that since the attacker can’t directly read the content of wp-config.php file to know the existing “database name,” “mysql username,” and its “password,” he can re-setup the targeted site using a remote database server in his control.

Once complete, the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.

“Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server,” researchers say.

In a proof-of-concept video published by the researchers, as shown above, the vulnerability worked perfectly as described and forced the site to re-installation screen.
However, as of now, website admins should not panic due to this vulnerability and can manually apply a hotfix provided by the researchers.

We expect the WordPress security team would patch this vulnerability in the upcoming version of its CMS software.

About the author

cyberonesol administrator

Cyber One Solutions is a Managed Security and IT Services Provider headquartered in Houston Texas. Since our inception, Cyber One Solutions has helped businesses of all sizes turn their IT into an unfair competitive advantage. We've been helping companies and organizations alike tackle their complex IT challenges through our unique approach to comprehensive technology management and consultancy services, as well as a commitment to excellence in customer service. We are one of the nation's leading Managed Service Providers with a deep bench o certified technical engineers and IT support staff ready to provide technology management and consultancy services to help businesses continue to grow and thrive.

You must be logged in to post a comment.

%d bloggers like this: