25 Feb 2019
Updating your WordPress content management software to version 5.0.3 is URGENT!
RIPS Technologies told Hacker News of a remote code execution vulnerability that affects all previous versions. That’s over six years of vulnerability. The remote code execution attack can be utilized by any nefarious user with at least an author account via a combination of Path Traversal and Local File Inclusion found in the WordPress core.
The attack takes advantage of WordPress’s Post Meta entries in the image management system that are used to store description, size, creator, etc. The attacker can modify any of these entries associated with that image creating the Path Traversal Flaw. According to Hacker News, this Path Traversal flaw in combination with a local file inclusion flaw in theme directory could then allow the attacker to execute arbitrary code on the targeted server.
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” says Simon Scannell, a researcher at RIPS Technologies GmbH Scannell. Though the author account does reduce the severity of the vulnerability, a risk still exists, and the full remote takeover of a vulnerable blog can happen within seconds.
Good news for WordPress version 5.0.1 and 4.9.9: the code exclusion attack was blocked by a patch that was introduced after a different vulnerability regarding the Post Meta entries was discovered.