Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately.
Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past 6 years.
The remote code execution attack, discovered and reported to the WordPress security team late last year, can be exploited by a low privileged attacker with at least an « author » account using a combination of two separate vulnerabilities—Path Traversal and Local File Inclusion—that reside in the WordPress core.
The requirement of at least an author account reduces the severity of this vulnerability to some extent, which could be exploited by a rogue content contributor or an attacker who somehow manages to gain author’s credential using phishing, password reuse or other attacks.
Video Demonstration — Here’s How the Attack Works
According to Simon Scannell, a researcher at RIPS Technologies GmbH, the attack takes advantage of the way WordPress image management system handles Post Meta entries used to store description, size, creator, and other meta information of uploaded images.
Scannell found that a rogue or compromised author account can modify any entries associated with an image and set them to arbitrary values, leading to the Path Traversal vulnerability.
« The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to an HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php, » Scannell explains.
And, « it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg. »
The Path Traversal flaw in combination with a local file inclusion flaw in theme directory could then allow the attacker to execute arbitrary code on the targeted server.