Critical RCE Flaw in WordPress that Remain Unpatched for 6 Years

If you are the using a WordPress CMS for your websites then its time to update your WordPress.
A security researcher from RipsTech, have uncovered a critical Remote Code Execution bug on WordPress CMS that affects all previous versions of WordPress content management software released in the past 6 years.

The blog post RipsTech showed that this bug can be exploited by the attacker with at least author privilege on the target WordPress by the chaining the two vulnerabilities - Path Transversal and Local File Inclusion, that resides on the WordPress core to gain the code execution on the server.

Furthermore, Simon Scannell from RipsTech noted that the code execution attack became non-exploitable in WordPress versions 4.9.9 and 5.0.1 after patch for another vulnerability was introduced which prevented unauthorized users from setting arbitrary Post Meta entries. But the Path Transversal bug is still unpatched. 

On Wordpress, low privilege users (Author) modify any entries associated with an Image and set them to arbitrary values, where Post Meta entries will be overwritten which will lead to a Path Traversal later.

The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.

The researcher also shares the video demonstrating the vulnerabilities with the author privileged users.
This  Remote Code Execution in the WordPress core that was present for over 6 years, but became non-exploitable with a patch for another vulnerability that was previously reported by RipsTech. However, Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, which reduces the severity of the vulnerability to some extent.

The vulnerabilities have been reported to WordPress Security team via Hackerone, and they have half fixed it. The complete fix will be addressed on the next release of WordPress.