Update: A week after the disclosure WordPress has released a patch in 4.9.7 to address this security issue
A recently disclosed vulnerability by RIPSTech shows how an attacker could gain full access to a WordPress website. While it does require an authenticated user to carry out the attack it would be possible to take full control of a WordPress website by only having the Author role (or any role that can manage uploaded media). By design, authors should only be able to delete files added to the media library, and not core WordPress files.
Who is affected?
Despite WordPress being notified of this vulnerability 7 months ago, there is still no patch as of the current WordPress version 4.9.6 (now fixed in 4.9.7). However there is hotfix created by RIPSTech which we have pushed out to all WordPress websites hosted at WP Charged, in order to secure users against this potential threat.
What is the vulnerability and how can it be used?
WordPress allows the filename of a thumbnail image that’s stored in the database to be edited by authenticated users, by issuing a simple POST request to the attachment page. An attacker could therefore replace the default thumbnail filename with the path to any other file located on the WordPress installation. As WordPress deletes all thumbnail versions with the original image on deletion, all the attacker would need to is to delete the image in the media library to have their specified file deleted.
The following files could be deleted by an attacker to gain access to the greater WordPress install:
- .htaccess or files related to security – Allowing attackers to bypass security rules added to the htaccess file or security plugin firewalls.
- index.php – Allowing directory listing of folders such as backup folders, therefore allowing files created by backup plugins to be found and downloaded.
- wp-config.php – This would force WordPress to reset to the install screen, allowing full access to the website.
All three of the above attack vectors are already protected or monitored for on WP Charged, however this attack could still cause damage.
If secure WordPress hosting is important to your business be sure to use a managed WordPress host that actively patches against WordPress threats.