WordPress Vulnerability Lets Full Site Takeover

June 29, 2018

A recently disclosed vulnerability in the WordPress CMS Core could be exploited to escalate privileges, remotely execute code, and take full control of a WordPress site.
The weakness was found by safety scientists at RIPS Technologies who informed the fault to WordPress in November 2017. The WordPress team verified that the fault was there, however, said it might take about 6 months to repair the fault. Seven months on and the weakness has still not been repaired.
According to the researchers, the vulnerability affects all WordPress versions, including the latest release of the popular content management system, version 4.9.6.
The weakness is present in the WordPress CMS in one of the PHP tasks that removes thumbnails for pictures uploaded to WordPress sites.
The vulnerability could only be exploited by an individual who has a user account on the site, which limits the potential for exploitation of the flaw. However, all that is required is a low-privilege user account on the site that allows a user to create posts and manage images and thumbnails. With such an account, the user could escalate privileges and pull off an attack and take full control of the site.
It would be possible for an attacker to erase any file in the WordPress system including the .htaccess file. The scientists note that the attacker might erase the wp-config.php file, re-initiate the installation procedure, and install WordPress on the site with their own database settings and include their own content on the site.
RIPS Technologies is offering a hotfix to prevent the flaw from being exploited until a patch is released by WordPress. The hotfix can be integrated into the functions.php file of the active theme, which would prevent security-relevant files from being deleted.
“All the offered Hotfix does is to hook into the wp_update_attachement_metadata() call and making certain that the data offered for the meta-value thumb doesn’t contain any components making path traversal possible,” said RIPS. Nevertheless, they did note that the hotfix must be applied with care as “We can’t supervise all possible backward compatibility difficulties with WordPress plugins.”