Critical RCE Flaw in WordPress that Remain Unpatched for 6 Years

If you are the using a WordPress CMS for your websites then its time to update your WordPress.
A security researcher from RipsTech, have uncovered a critical Remote Code Execution bug on WordPress CMS that affects all previous versions of WordPress content management software released in the past 6 years.

The blog post RipsTech showed that this bug can be exploited by the attacker with at least author privilege on the target WordPress by the chaining the two vulnerabilities - Path Transversal and Local File Inclusion, that resides on the WordPress core to gain the code execution on the server.




The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.
The researcher also shares the video demonstrating the vulnerabilities with the author privileged users.
This  Remote Code Execution in the WordPress core that was present for over 6 years, but became non-exploitable with a patch for another vulnerability that was previously reported by RipsTech. However, Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, which reduces the severity of the vulnerability to some extent.

The vulnerabilities have been reported to WordPress Security team via Hackerone, and they have half fixed it. The complete fix will be addressed on the next release of WordPress.
If you are the using a WordPress CMS for your websites then its time to update your WordPress.
A security researcher from RipsTech, have uncovered a critical Remote Code Execution bug on WordPress CMS that affects all previous versions of WordPress content management software released in the past 6 years.

The blog post RipsTech showed that this bug can be exploited by the attacker with at least author privilege on the target WordPress by the chaining the two vulnerabilities - Path Transversal and Local File Inclusion, that resides on the WordPress core to gain the code execution on the server.




The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.
The researcher also shares the video demonstrating the vulnerabilities with the author privileged users.
This  Remote Code Execution in the WordPress core that was present for over 6 years, but became non-exploitable with a patch for another vulnerability that was previously reported by RipsTech. However, Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, which reduces the severity of the vulnerability to some extent.

The vulnerabilities have been reported to WordPress Security team via Hackerone, and they have half fixed it. The complete fix will be addressed on the next release of WordPress.

Related Posts

Post a Comment

Subscribe Our Newsletter