Security Researchers at RIPS Technologies (RIPSTECH) have disclosed a critical remote code execution vulnerability that has been present in WordPress for over 6 years.

By taking advantage of two separate vulnerabilities and the use of a low privilege account an attacker can launch a code execution attack that leads to full compromise of the WordPress site.

WordPress is one of the most popular website creation and content management systems, powering approximately 30% of the worlds websites.

The vulnerability which was bought to the attention of the WordPress security team back in October 2018, affects all previous versions prior to 5.0.1 and 4.9.9.

By gaining access to an account with ‘author’ access privileges or above, an attacker can manipulate the way that WordPress handles images and their meta-data, to exploit the first Path Traversal flaw.

Combining this with a second Local File Inclusion flaw, the attacker can then execute arbitrary code on the WordPress system. RIPSTECH states:

“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover.”

RIPSTECH have published a technical breakdown of the exploit on their blog which includes the brief video of how easy it is exploit the vulnerabilities.

A security patch has been released by the WordPress security team for versions 4.99 and 5.01, that renders this exploit unsuccessful, and prevents full remote takeover of the system.

Unfortunately, as it stands no patch or updated version is available to completely remove all these vulnerabilities, the Path Traversal vuln is still possible, but this is apparently due to be included in the next version of WordPress.

To ensure your WordPress installations are secure as possible, remember to:

  • always keep your WordPress installation regularly updated
  • perform regular updates of associated plug-ins
  • take regular backups of your WordPress system, including prior to any of the above updates
  • test your service after any update, to ensure no issues have been introduced

Ironshare – Security Simplified