Unpatched WordPress bug puts your website at risk

In November last year, a security researcher reported an arbitrary file deletion vulnerability to the WordPress security team, but seven months have passed since the report was issued. The security team did not release any patches or repair plans. The insider finally decided to make it public.

According to reports, since there are no patches to fix this vulnerability, any WordPress version, including the current 4.9.6 release, is vulnerable. To exploit this vulnerability, an attacker needs to obtain permission to edit and delete media files in advance.

An attacker can delete any files installed by WordPress (as well as any other data on the server that the PHP process user is authorised to delete). In addition to the possibility of removing the entire WordPress installation (if there are no current backups available with catastrophic results), an attacker could also use arbitrary file deletion to bypass some security measures and execute arbitrary code on the Web server. 

The following files can be deleted:

  • .htaccess: In general, deleting this file does not have any security consequences. However, in some occasions, the .htaccess file contains security related constraints (e.g., access constraints to some folders). Deleting this file would deactivate those security constraints.
  • index.php files: Oftentimes empty index.php files are placed into directories to prevent directory listing for the case the webserver fails to do so. Deleting those files would grant an attacker a listing of all files in directories protected by this measure.
  • wp-config.php: Deleting this file of a WordPress installation would trigger the WordPress installation process on the next visit to the website. This is due to the fact that wp-config.php contains the database credentials, and without its presence, WordPress acts as if it hasn’t been installed yet. An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.

Please check this blog for details.