- Researchers discovered critical remote code execution vulnerability in WordPress which remained uncovered for 6 years.
- The flaw is exploited using a combination of two separate vulnerabilities Path Traversal and Local File Inclusion
- the vulnerability was discovered by security researchers at RIPS Technologies GmbH
- The flaw affects all previous version of WordPress released in the past 6 years
Security researchers have discovered a critical remote code execution vulnerability in WordPress which remained unpatched for 6 years.
The vulnerability was discovered by security researchers at RIPS Technologies GmbH and affects all version of WordPress prior to version 5.0.3.
The flaw is exploited using a combination of two vulnerabilities Path Traversal and Local File Inclusion which leads to Remote Code Execution in the WordPress core and a full remote takeover.
The flaw can be exploited by an attacker who has access to the account with at least author privileges to execute arbitrary PHP code on the underlying server.
The attack takes advantage of the way WordPress image management system handles Post Meta entries which stores information like description, size, creator, and other meta information of uploaded images
Researchers also discovered that the attacker with at least author privileges in WordPress can modify entries associated with an image leading to Path Traversal vulnerability.
“The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.” said in the post published by researchers.
Combining the path reversal flaw with a local file inclusion flaw in theme directory allows an attacker to execute arbitrary code on the targeted server.
In WordPress versions 5.0.1 and 4.9.9, it became non-exploitable with a patch for another vulnerability preventing unauthorised users to set arbitrary Post Meta entries.
Researchers also noted that the Path Traversal vulnerability is still unpatched even in the latest version of WordPress and can be exploited by any 3rd party plugins which allow overwriting of arbitrary Post Data.
Researchers have confirmed WordPress would address the flaw in the next release and All users are advised to update their WordPress to the latest version.
The researchers also published a video demonstration of how the attack works which is shown below:
You may be interested in reading:Several Photo Editing Apps Found Stealing Users Photos