Last week we received a tip about an unpatched vulnerability in the WordPress core, which could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server.
Discovered by researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current 4.9.6.
The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image.
Researchers find that the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins.
The requirement of at least an author account automatically reduces the severity of this flaw to some extent, which could be exploited by a rogue content contributor or a hacker who somehow gains author's credential using phishing, password reuse or other attacks.
Researchers say that using this flaw an attacker can delete any critical files like ".htaccess" from the server, which usually contains security-related configurations, in an attempt to disable protection.
Besides this, deleting "wp-config.php" file—one of the most important configuration files in WordPress installation that contains database connection information—could force entire website back to the installation screen, allegedly allowing the attacker to reconfigure the website from the browser and take over its control completely.
However, it should be noted that since the attacker can't directly read the content of wp-config.php file to know the existing "database name," "mysql username," and its "password," he can re-setup the targeted site using a remote database server in his control.
Once complete, the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.
"Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server," researchers say.
In a proof-of-concept video published by the researchers, as shown above, the vulnerability worked perfectly as described and forced the site to re-installation screen.
However, as of now, website admins should not panic due to this vulnerability and can manually apply a hotfix provided by the researchers.
We expect the WordPress security team would patch this vulnerability in the upcoming version of its CMS software.