Home>Blog>The Hacker News Headlines>Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years
The Hacker News Headlines

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

wordpress remote code execution

Exclusive — If you have not updated your website to the latest
WordPress version 5.0.3, it’s a brilliant idea to upgrade the
content management software of your site now. From now, I mean
immediately.

Cybersecurity researchers at RIPS Technologies GmbH today shared
their latest
research[1] with The Hacker News,
revealing the existence of a critical remote code execution
vulnerability that affects all previous versions of WordPress
content management software released in the past 6 years.

The remote code execution attack, discovered and reported to the
WordPress security team late last year, can be exploited by a low
privileged attacker with at least an “author” account using a
combination of two separate vulnerabilities—Path Traversal and
Local File Inclusion—that reside in the WordPress core.

The requirement of at least an author account reduces the severity
of this vulnerability to some extent, which could be exploited by a
rogue content contributor or an attacker who somehow manages to
gain author’s credential using phishing, password reuse or other
attacks.

“An attacker who gains access to an account with at least author
privileges on a target WordPress site can execute arbitrary PHP
code on the underlying server, leading to a full remote takeover,”
Scannell says.

Video Demonstration — Here’s How the Attack Works

According to Simon Scannell, a researcher at RIPS Technologies
GmbH, the attack takes advantage of the way WordPress image
management system handles Post Meta entries used to store
description, size, creator, and other meta information of uploaded
images. Scannell found that a rogue or compromised author account
can modify any entries associated with an image and set them to
arbitrary values, leading to the Path Traversal vulnerability.

“The idea is to set _wp_attached_file to evil.jpg?shell.php, which
would lead to an HTTP request being made to the following URL:
https://targetserver.com/wp-content/uploads/evil.jpg?shell.php,”
Scannell explains.

And, “it is still possible to plant the resulting image into any
directory by using a payload such as evil.jpg?/../../evil.jpg.”

The Path Traversal flaw in combination with a local file
inclusion flaw in theme directory could then allow the attacker to
execute arbitrary code on the targeted server.
The attack, as shown in the proof-of-concept video shared by the
researcher, can be executed within seconds to gain complete control
over a vulnerable WordPress blog.

According to Scannell, the code execution attack became
non-exploitable in WordPress versions 5.0.1 and 4.9.9 after patch
for another vulnerability was introduced which prevented
unauthorized users from setting arbitrary Post Meta entries.

However, the Path Traversal flaw is still unpatched even in the
latest WordPress version and can be exploited if any installed
3rd-party plugin incorrectly handles Post Meta entries.

Scannell confirmed that the next release of WordPress would
include a fix to completely address the issue demonstrated by the
researcher.

References

  1. ^
    latest research
    (blog.ripstech.com)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.