Security flaws often remain unpatched while companies work on a fix for the issue but cybersecurity researchers at RIPS Technologies GmbH have discovered a critical remote code execution vulnerability in WordPress that remained accessible to potential attackers for six years.
The vulnerability, which affects all previous versions of WordPress before version 5.0.3, can be exploited by a low privileged attacker with an account level of “author” or above by using a combination of both the path Traversal and Local File Inclusion vulnerabilities that exist inside WordPress’ core code.
The fact that an attacker must have at least an author account does help to mitigate the severity of the vulnerability slightly but a content contributor or an attacker, that managed to gain author’s credentials, could still take advantage of it.
The researchers reported the vulnerability to WordPress’ security team late last year and updating to the latest version of WordPress will prevent attackers from exploiting it.
Remote code execution attack
RIPS Technologies GmbH researcher Simon Scannell detailed the teams findings in a blog post where he explained how the attack takes advantage of the way WordPress’ image management system handles Post Meta entries which are used to store description, size, creator and other meta information uploaded with images.
Scannell discovered that either a rogue or compromised author account can be used to modify an images’ meta data and set them to arbitrary values. This leads to the Path Traversal vulnerability and when used together with a local file inclusion flaw in theme director could allow an attacker to execute arbitrary code on a WordPress blog’s server.
The attack itself can be executed within seconds to gain complete control over a vulnerable WordPress blog but thankfully it became non-exploitable in WordPress versions 5.0.1 and 4.9.9 when another vulnerability was introduced.
Scannell explained that the Path Traversal vulnerability can still be exploited by hackers though, saying:
“However, the Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, we decided to make the vulnerability public after 4 months of initially reporting the vulnerabilities.”
Via The Hacker News