A recently recognized WordPress vulnerability could allow hackers to control websites. News of the vulnerability was reported in '
The Hacker News' - an online publication dedicated to making the industry aware of global cyber threats. The threat was discovered by RIPS Technologies, a web application security and software solution provider based in Bochum, Nordrhein-Westfalen, Germany.
The threat is based around "authenticated arbitrary file deletion" and is located in a WordPress core function. RIPS Technologies’ researchers found that WordPress thumbnail delete function can receive “unsanitized user input”. Potentially, this could allow a user with ‘author’ privileges or more to delete web hosting files – a function that only server or site admininistrators should be allowed. According to The Hacker News the vulnerability was “reported 7 months ago” but has not been patched to date. It could impact all WordPress versions up to the current version 4.9.6.
As the vulnerability requires access at ‘author’ level or above, it is not as imminent a threat as others. However, it still leaves sites vulnerable to those with such an access levels or hackers who have acquired access as an ‘author’. Once in the system critical files like ‘.htaccess’ can be deleted and this would leave the site unprotected. In addition, the ‘wp-config.php’ file could be deleted. According to The Hacker News, this could force websites “back to the installation screen” and enable a hacker to reconfigure a website from the browser and ultimately take full control of it.
"Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the web server," The Hacker News quoted researchers as saying.
Do you know of any other potential threats? Let us know the details. Add your comments below.
