Unpatched WordPress Flaw Grants Full Control to Attackers on Websites

An unpatched vulnerability in the WordPress core could allow a low-privileged user to hijack the whole site and execute arbitrary code on the server. Researchers at RIPS Technologies GmbH discovered that the “authentication arbitrary file deletion” affects all versions of WordPress. When a user permanently deletes a thumbnail of an upload image, the vulnerability resides on the core functions of WordPress.

The vulnerability allows non-privileged users to delete any file from the web hosting server when such actions should be done only by administrators. Using phishing or other social engineering attacks, the hacker could gain author credentials which are required to exploit this security flaw. An attacker exploiting this flaw could delete critical files on the server, like”.htaccess,” which usually contains security-related configurations, and in this way, disable protection. Moreover, deleting the database file “wp-config.php” containing database connection information could force the entire website to the installation screen and therefore grant full control to the attacker. This means that the attacker can reconfigure the website and take complete control over it, doing so from the web browser.

However, since the attacker can’t directly read the content of “wp-config.php” file to know the existing database name and its password, he can re-setup the targeted site using a remote database server in his control. Once complete, he can create a new admin account and take complete control of the website including the ability to execute arbitrary code on the server. Currently, the flaw remains unpatched. The researchers have tested the vulnerability and exploited it successfully. The flaw was reported seven months ago and hopefully, a hotfix will soon be applied by the WordPress security team.

Cynet scanned machines (desktop and server hosts) are monitored for any kind of post-exploitation activity.