The internet has become a staple of modern life. Having a website has become a necessity for most small businesses to connect with potential customers and provide information on the business and their offerings. However, one of the most common website development tools, WordPress, has a major vulnerability that could allow full control of a website by an attacker.
WordPress is a Content Management System (CMS) for hosting websites. It provides a framework for easy site creation and maintenance without having to code every aspect of the website. WordPress is one of the most popular CMS tools, alongside others such as Drupal and Joomla, and is used in approximately 30% of all websites.
Security researchers at RIPSTech, a security analysis solution provider for PHP, discovered an authenticated arbitrary file deletion vulnerability in WordPress that could lead to attackers being able to execute arbitrary code on the host webservers or completely take down the site. As any responsible security researcher would do, RIPSTech reported the vulnerability to the WordPress security team in November 2017. However, when the WordPress team was unresponsive as to when the issue would be fixed, RIPSTech decided to release the vulnerability information to the public in late June 2018 (a month longer than the WordPress team’s estimated six months to fix).
The vulnerability stems from a lack of user input sanitization when deleting a thumbnail for an image that was uploaded to the site. The input can redirect the code to delete other files on the system, including important site-related files. For instance the .htaccess file, which can contain security restraints, can be deleted to decrease the site’s security, or the wp-config.php file can be removed which would cause the installation phase to be triggered the next time the site is loaded. This would allow the attacker to create their own administrator credentials providing complete control of the site. The index.php file can also be removed, allowing access to other files and directories on the server that were protected and the entire WordPress installation could be removed. This highlights the importance of maintaining frequent site backups, especially on a different system or network.
This vulnerability does require low-level access to the system with author level privileges at a minimum. This allows uploading of images to, as well as deletion of images on, the site and therefore the ability to exploit the vulnerability. WordPress released version 4.9.7 containing a patch for the vulnerability and users are strongly encouraged to update. Prior to this, RIPSTech released a temporary hotfix that checked to assure user input could not cause a path traversal, protecting security relevant files.
Sources: https://thehackernews.com/2018/06/wordpress-hacking.html https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ https://indivigital.com/news/wordpress-core-vulnerability-could-give-would-beattackers-the-capability-to-delete-files/