The popular content management system WordPress has been found to contain a dangerous weakness allowing remote attackers to easily execute remote code. The public announcement of the bug shows that the vulnerability has existed in the past 6 years and it is very possible that sites have been accessed through it. Basically it allows low-privileged accounts to execute code using two vulnerability found with the main engine.
CVE-2019-6977: The Latest WordPress Has Allowed Criminals To Execute Remote Code For 6 Years
WordPress site owners should immediately patch their installations to the latest available version (5.0.3) in order to protect themselves from a dangerous remote code execution vulnerability which was just announced. The public announcement came in from the security team at RIPS Technologies GmbH that revealed a dangerous bug found within the content management system. It effectively allows computer hackers to exploit the online installations by merely having a low-privileged account on the site. It is used to exploit two distinct bug types — Path Traversal and Local File Inclusion which are found within the WordPress core engine. This also affects any plugins that incorrectly handle Post meta values.
This issue is rather dangerous as the Post Meta values are internal references to files upload in the server which are also recorded in the WordPress databases. The security investigation reveals the vulnerable WordPress versions allow for this value to be modified by using code injection. Effectively this means that computer criminals having access to the web server can upload modified content and thus exploit the system. A public security advisory has been assigned to track the issue with the CVE-2019-6977 identifier. Its contents reads the following:
gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be exploited by an attacker who is able to trigger imagecolormatch calls with crafted image data.
The latest version of the WordPress fixes the Post Meta entries weakness however the Path Traversal flaw can still be exploited by incorrect behavior of any third-party plugins. The WordPress security team will address the complete weakness in its next release. Until then all site owners are urged to apply all available security updates — both to the core engine and all plugins and themes.