Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately.
Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years.
The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an “author” account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core.
The requirement of at least an author account reduces the severity of this vulnerability to some extent, which could be exploited by a rogue content contributor or an attacker who somehow manages to gain author’s credential using phishing, password reuse or other attacks.
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” Scannell says.
Video Demonstration — Here’s How the Attack Works
According to Simon Scannell, a researcher at RIPS Technologies GmbH, the attack takes advantage of the way WordPress image management system handles Post Meta entries used to store description, size, creator, and other meta information of uploaded images.
“The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to an HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php,” Scannell explains.
And, “it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg.”
The Path Traversal flaw in combination with a local file inclusion flaw in theme directory could then allow the attacker to execute arbitrary code on the targeted server.
The attack, as shown in the proof-of-concept video shared by the researcher, can be executed within seconds to gain complete control over a vulnerable WordPress blog.
According to Scannell, the code execution attack became non-exploitable in WordPress versions 5.0.1 and 4.9.9 after patch for another vulnerability was introduced which prevented unauthorized users from setting arbitrary Post Meta entries.
However, the Path Traversal flaw is still unpatched even in the latest WordPress version and can be exploited if any installed 3rd-party plugin incorrectly handles Post Meta entries.
Scannell confirmed that the next release of WordPress would include a fix to completely address the issue demonstrated by the researcher.