Security Researchers at RIPSTechnologies (RIPSTECH) have disclosed a critical remote code executionvulnerability that has been present in WordPress for over 6 years.
By taking advantage of two separate vulnerabilities and theuse of a low privilege account an attacker can launch a code execution attackthat leads to full compromise of the WordPress site.
WordPress is one of the most popular website creation and content management systems, powering approximately 30% of the worlds websites.
The vulnerability which was bought to the attention of theWordPress security team back in October 2018, affects all previous versionsprior to 5.0.1 and 4.9.9.
By gaining access to an account with ‘author’ access privilegesor above, an attacker can manipulate the way that WordPress handles images andtheir meta-data, to exploit the first Path Traversal flaw.
Combining this with a second Local File Inclusion flaw, the attacker can then execute arbitrary code on the WordPress system. RIPSTECH states:
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover.”
RIPSTECH have published a technical breakdown of the exploit on their blog which includes the brief video of how easy it is exploit the vulnerabilities.
A security patch has been released by the WordPress security team for versions 4.99 and 5.01, that renders this exploit unsuccessful, and prevents full remote takeover of the system.
Unfortunately, as it stands no patch or updated version is available to completely remove all these vulnerabilities, the Path Traversal vuln is still possible, but this is apparently due to be included in the next version of WordPress.
To ensure your WordPress installations are secure as possible, remember to:
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
