June 29, 2018
A lately unveiled weakness in the WordPress CMS Core might be abused to increase privileges, distantly execute code, and take complete management of a WordPress site.
The vulnerability was found by safety scientists at RIPS Technologies who informed the fault to WordPress in November 2017. The WordPress team verified that the fault was there but said it might take about 6 months to repair the fault. Seven months on and the weakness has still not been repaired.
As per the scientists, the weakness affects all WordPress types, including the latest issue of the popular content management system, type 4.9.6.
The weakness is there in the WordPress CMS in one of the PHP jobs that erases thumbnails for pictures uploaded to WordPress sites.
The weakness might only be abused by a person who has a user account on the site, which restricts the possibility for abuse of the fault. Nevertheless, all that is needed is a low-privilege user account on the site that lets a user generate posts and manage thumbnails and images. With such an account, the user might increase privileges and succeed an attack and take complete management of the site.
It would be probable for an attacker to erase any file in the WordPress system including the .htaccess file. The scientists noticed that the attacker might erase the wp-config.php file, re-initiate the fitting procedure, and fit WordPress on the site with their own database settings and introduce their own content on the site.
RIPS Technologies is proposing a hotfix to avoid the fault from being abused until a repair is issued by WordPress. The hotfix can be incorporated into the functions.php file of the active theme, which would avoid safety-related files from being erased.
“All the provided Hotfix does is to hook into the wp_update_attachement_metadata() call and making certain that the data issued for the meta-value thumb doesn’t include any components making path traversal possible,” said RIPS. Nevertheless, they did notice that the hotfix must be applied with care as “We can’t supervise all probable backward compatibility issues with WordPress plugins.”