A new WordPress security bug has been reported by specialists that affects a large percentage of the sites worldwide. This is one of the most popular platforms and the discovery of the vulnerability gives hackers the ability to execute arbitrary code. The initial report was submitted 7 months ago to the platform’s security team however it still remains unpatched. All versions of WordPress are affected.
Details About the New WordPress Security Bug
The initial security report was submitted to the WordPress team 7 months ago. As they have not yet patched the issues all sites are vulnerable, including those running the latest version 4.9.6. In order for the hackers to be able to intrude into the target sites they will need to gain the privileges to edit or delete media files. This allows hackers to take over any site as long as they have a registered account with a role as low as Author. The hackers can also intrude into the sites by using other exploits. As soon as the hackers gain access to the systems and execute the vulnerability they will be able to delete any file that is part of the WordPress installation. Any other file available on the site’s server that have the same permissions is also vulnerable.
The hackers can consequently delete the whole WordPress installation. This can render the site unable to function, especially if the system administrators have not enable automatic backups. The hackers can also opt to delete certain files and replace them with dangerous other instances. This allows them to execute arbitrary code. Special attention must be given to the modification of the following files:
- .htaccesss — In general deletion of this particular file by itself is not defined as a security risk. However if it explicitly contains instructions to block certain folders, such actions will deactivate the protective constraints.
- index.php files — In many cases index.php are placed in directories in order to prevent directory listings. Deleting these files will make it possible for the attackers to access all files in these directories.
- wp-config.php — Deleting or modification of this file will lead to the launch of the initial installation process. The hackers can use this to enter false credentials linking their own databases which would spoof the entire installation and allow them to completely take over the site.
The exact cause of the vulnerability is the improper processing of user parameters. This is linked to the way PHP is handled by the WordPress core engine.
The New WordPress Security Bug Can Be Patched with a Temporary Fix
The fact that the WordPress security bug remains unpatched by the development team as of the time of writing this article shows that there is a real risk of intrusion of all sites. This has prompted the security researchers that discovered the vulnerability to issue a temporary hotfix. Site administrators will ned to add additional code to the functions.php fil of the currently active theme:
add_filter( ‘wp_update_attachment_metadata’, ‘rips_unlink_tempfix’ );
function rips_unlink_tempfix( $data ) {
if( isset($data[‘thumb’]) ) {
$data[‘thumb’] = basename($data[‘thumb’]);
}return $data;
}
For a detailed analysis of the vulnerability read the original report here.