New Unauthenticated WordPress Flaws Leads to Remote Code Execution

Last month, a security researcher from RipsTech had discovered an Authenticated Remote Code Execution vulnerability on WordPress 5.0, and here is again they have back with the another Remote Code Execution vulnerability on the latest version 5.1 of the WordPress.

This newly discovered vulnerability is Unauthenticated RCE which increase the severity of the bug to highly critical.
A researcher found Cross-Site Request Forgery (CSRF) vulnerability on the comment function of WordPress, which can be used by the attacker to take over any WordPress site that has comments enabled.

According to the researcher, the attacker makes the comment on the WordPress site which includes a malicious link targeting the site administrator.  As soon as the victim administrator visits the malicious website, a cross-site request forgery (CSRF) exploit is run against the target WordPress blog in the background, without the victim noticing. The CSRF exploit abuses multiple logic flaws and sanitization errors that when combined lead to Remote Code Execution and a full site takeover.

WordPress is used by over 33% of all websites on the internet, according to its own download page. Considering that comments are a core feature of blogs and are enabled by default, the vulnerability affected millions of sites.

Brief  Detail of the Bug
WordPress didn't CSRF validation when a user posts a new comment, this is because some WordPress features such as trackbacks and pingbacks would break if there was any validation. Now this will make easy for an attacker to create comments in the name of the administrative user.
WordPress blog is allowed to use arbitrary HTML tags in comments, which open doors to exploit the CSRF vulnerability to create a comment containing malicious JavaScript code.

Now after exploiting the CSRF vulnerability attacker can have the stored Cross-Site Scripting (XSS) vulnerability in the WordPress core. This is because some attributes that usually can’t be set in comments are parsed and manipulated in a faulty way that leads to an arbitrary attribute injection.

This further leads to having the administrator session, which is not a hard task. With the session of the administrator, it is possible to execute arbitrary JavaScript code which in turns to Remote Code Execution easily.
By default, WordPress allows administrators of a blog to directly edit the files.php of themes and plugins from within the admin dashboard. By simply inserting a PHP backdoor, the attacker can gain arbitrary PHP code execution on the remote server.

What to Do? [PATCH]
RipsTech has reported the issue to WordPress security team and WordPress has fixed the issue on the latest release. By default, WordPress automatically installs security updates, so your WordPress core will automatically get the update to the latest one v5.1.1.  The further step you can take is, disable comments if it is not necessary.