June 29, 2018
A lately disclosed weakness in the WordPress CMS Core might be abused to increase privileges, distantly execute code, and take complete management of a WordPress site.
The weakness was found by safety scientists at RIPS Technologies who informed the fault to WordPress in November 2017. The WordPress team verified that the fault was there, however, said it might take about 6 months to repair the fault. Seven months on and the weakness has still not been repaired.
As per the scientists, the weakness influences all WordPress types, including the latest issue of the trendy content management system, type 4.9.6.
The weakness is present in the WordPress CMS in one of the PHP tasks that removes thumbnails for pictures uploaded to WordPress sites.
The weakness might only be abused by a person who has a user account on the site, which restricts the possibility for abuse of the flaw. Nevertheless, all that is needed is a low-privilege user account on the site that lets a user generate posts and administer images and thumbnails. With such an account, the user might increase privileges and pull off an attack and take complete control of the site.
It would be possible for an attacker to erase any file in the WordPress system including the .htaccess file. The scientists note that the attacker might erase the wp-config.php file, re-initiate the installation procedure, and install WordPress on the site with their own database settings and include their own content on the site.
RIPS Technologies is presenting a hotfix to avoid the fault from being abused until a patch is announced by WordPress. The hotfix can be incorporated into the functions.php file of the active theme, which would avoid security-relevant files from being erased.
“All the offered Hotfix does is to hook into the wp_update_attachement_metadata() call and making certain that the data offered for the meta-value thumb doesn’t contain any components making path traversal possible,” said RIPS. Nevertheless, they did note that the hotfix must be applied with care as “We can’t supervise all possible backward compatibility difficulties with WordPress plugins.”