- An attacker could potentially exploit the vulnerability to delete any file of the WordPress installation.
- The vulnerability could also lead to malicious code execution on any WordPress sites.
Security researchers have discovered a vulnerability in the core of WordPress that could allow hackers to delete files. Unlike previously reported flaws that are typically related to its plugins or themes, this bug was discovered in the PHP function that is used to delete thumbnails for images uploaded on a particular WordPress site.
The vulnerability was discovered by RIPS researchers who notified WordPress about their findings in November last year. However, the company failed to patch the vulnerability.
"At the time of writing, no patch preventing this vulnerability is available," the researchers said.
How can the vulnerability be exploited?
WordPress users that have access to the post-editor tool - which is used to upload or delete images (including image thumbnails) - could potentially insert malicious code into a site to delete critical files that are part of the WordPress CMS core, researchers found.
To exploit the vulnerability, the WordPress users will need to have a certain level of user access such as an Author or higher to exploit the vulnerability. However, a registered low-level “User” account could also potentially elevate their privileges to take advantage of the flaw as well.
"Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server," researchers said.
About the Vulnerability
All WordPress CMS versions up to the latest version 4.9.6 have been found to be vulnerable.
Some of the files that can be deleted by a malicious attacker include .htaccess, index.php and wp-config.php, leading to additional, more severe consequences.
- Deleting the .htaccess files would likely likely deactivate any security related constraints that the file contains.
- Deleting the index.php file would allow for access to a listing of all files in directories that are protected by this measure.
- Deleting wp-config.php of a WordPress installation would spark the WordPress installation process on the next visit to the website. Since this file contains database credentials, deleting it would make WordPress undergo the installation process again which the attacker can leverage to insert his own credentials for the administrator account. The hacker could also execute arbitrary code as well.
WordPress has yet to respond to the RIPS team’s report. But Tony Perez, co-founder of Sucuri, has confirmed the validity of their report to Bleeping Computer.
How do I fix it?
The RIPS researchers have released a temporary “Hotfix” for the vulnerability, given that the vulnerability could potentially be exploited en masse.
The fix can be integrated into an existing WordPress installation by adding it to the ‘functions.php’ file of the currently active theme/child-theme,” researchers said. “All the provided Hotfix does is to hook into the wp_update_attachement_metadata() call and making sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security relevant files can be deleted.
However, they noted that the fix should be seen as a temporary one to prevent possible attacks. “We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” they said.