Security researchers from RIPS disclosed today details about an unpatched security flaw impacting WordPress, the Internet’s most popular content management system (CMS).
RIPS researchers say they have told the WordPress team about this particular vulnerability in November last year, but the WordPress devs have failed to release a patch.
The vulnerability affects the core of the WordPress CMS and not one of its plugins or themes. More precisely, the bug was found in the PHP functions that delete thumbnails for images uploaded on a WordPress site.
RIPS researchers discovered that users who have access to the post editor —and can upload or delete images (and their thumbs)— can insert malicious code in a WordPress site that deletes crucial files part of the CMS core, something that should not be possible in any way without access to the server’s FTP.
The severity of this vulnerability is greatly reduced by the fact that only users of a certain access level (Author or higher) can exploit this bug, as only those users have the ability to create posts and manage associated images and thumbnails.
Nonetheless, RIPS experts warn that if an attacker manages to register even a low-level “User” account on a site and then elevate its privileges, he can exploit this vulnerability to hijack sites.
They can hijack sites because the vulnerability allows attackers to delete wp-config.php, which is a site’s config file. Attackers who delete this file can re-initiate the installation process and install the site using their own database settings, effectively hijacking the site to deliver custom or malicious content.
A video showing the RIPS team using the vulnerability to hijack a site:
The vulnerability affects all WordPress versions
According to RIPS, the vulnerability impacts all WordPress CMS versions, including the latest version, v4.9.6.
A spokesperson for the WordPress CMS team did not reply to a request for comment on the reasons why they didn’t patch the vulnerability reported by the RIPS team, but Tony Perez, co-founder of Sucuri, has confirmed to Bleeping Computer the validity of the RIPS report.
Because of the requirement to have an author-level account on a WordPress site, it is very unlikely that this vulnerability will be mass exploited.
Nevertheless, for blogs and other WordPress-powered sites with large userbases, the RIPS team has released a temporary hotfix (included at the bottom of their report, here).
This hotfix is a piece of PHP code that site owners must add to the functions.php file, inside the site’s currently active theme folder.
“All the provided Hotfix does is to hook into the wp_update_attachement_metadata() call and making sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible,” the RIPS team said. “Thus, no security relevant files can be deleted.”