Security specialists at RIPS Technologies GmbH disclosed a vital remote code execution vulnerability in versions of WordPress previous to five.0.3, which remained uncovered for six years.
The professionals located that the flaw could be exploited through an attacker who gains get right of entry to an account with at least ‘author‘ privileges on a WordPress set up to execute arbitrary PHP code on the underlying server.
The flaw is that the chain of a Path Traversal and native File Inclusion vulnerability that leads to Remote Code Execution inside the WordPress core and complete far-flung takeover.
Your browser does not aid the video tag.
The attack is based on the manner WordPress image management machine handles Post Meta entries that store statistics like description, size, creator, and other meta facts of uploaded images.
Experts additionally printed PoC of the attack:
The professionals determined that an attacker with at least ‘author‘ privileges on a WordPress installation can adjust entries related to a photo to cause the Path Traversal vulnerability.
“The concept is to set _wp_attached_file to evil.Jpg?Shell.Php, which could lead to an HTTP request being made to the subsequent URL: https://targetserver.Com/wp-content/uploads/evil.Jpg?Shell.Php. This request might go back to a valid photograph document since the whole thing after the? Is omitted in this context. The ensuing filename could be evil.Jpg?Shell.Php.” maintains the analysis.
“However, it’s miles still possible to plant the ensuing photo into any directory through using a payload which includes evil.Jpg?/../../evil.Jpg.”
Chaining The Path Traversal vulnerability with a local document inclusion flaw inside the theme directory could permit the attacker to execute arbitrary code on the targeted server.
The implementation of a protection degree in WordPress variations 5.0.1 and 4.9.9 prevented the exploitation of the flaw because it made not possible for unauthorized users to set arbitrary Post Meta entries.
Experts pointed out that the Path Traversal problem is still unpatched even in the trendy WordPress version, it can additionally be exploited within the presence of established 3rd-birthday celebration plugins that incorrectly handles Post Meta entries.