An unpatched vulnerability present in the WordPress core, allows a low-privileged user to hijack the whole site and execute arbitrary code on the server.
This was found by the researchers at RIPS Technologies GmbH, and the “authenticated arbitrary file deletion” vulnerability was reported 7 months ago to the WordPress security team but was not patched and affects all versions including the current version of WordPress.
The vulnerability resides in one of the core functions of WordPress that runs in the background when a user permanently deletes thumbnail of an uploaded image.
The thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with limited-privileges of at least an author to delete any file from the web hosting which are normally allowed to those with server or site admin rights.
Since at least an author account is required it reduces the severity of this flaw to some extent, which could be exploited by a hacker who somehow gains author’s credential using phishing, password reuse or other attacks.
Researchers say that using this flaw an attacker can delete any critical files like “.htaccess” from the server, which usually contains security-related configurations, in an attempt to disable protection.
Similarly, deleting “wp-config.php” file which is one of the most important configuration files in WordPress installation that contains database connection information could force entire website back to the installation screen, supposedly allowing the attacker to reconfigure the website from the browser and take complete control of it.
Since the attacker cannot directly read the content of wp-config.php file to know the existing “database name,” “mysql username,” and its “password,” he can re-setup the targeted site using a remote database server in his control.
After that the attacker can create a new admin account and take complete control over the website, including the ability to execute arbitrary code on the server.
The researchers reports that if a backup is not available, then there can be tragic consequences when the whole WordPress installation is erased. Besides an attacker can also make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server.
The website admins need not be frightened by this vulnerability aas they can manually apply a hotfix provided by the researchers. Lets expect that the WordPress security team would patch this vulnerability in the upcoming version of its CMS software.