WordPress core contains a vulnerability that, if exploited, could give would-be attackers the capability to delete files, according to a report from PHP security firm RIPS.
The vulnerability can only be exploited by users with the necessary privileges to edit and delete media files, which includes users with privileges assigned to ‘author’ in a standard WordPress installation.
By exploiting the vulnerability an attacker could delete the entire WordPress installation. A video of the security firm exploiting the vulnerability can be viewed in a blog post on its website.
RIPS states the vulnerability exists because of an unsanitized value being passed to a function named unlink() that is called from within the wp_delete_attachment() function in the post.php file (which is in the wp-includes directory).
These functions play a part in deleting thumbnails associated with images.
RIPS claims it informed WordPress of the vulnerability about 7 months ago however to this date it remains unpatched. The lack of response from WordPress led the security firm to go public with the vulnerability.
It also states that all versions of WordPress, including the latest version 4.9.6, are susceptible to the vulnerability.
In its blog post, the security firm has published a temporary fix “in order to prevent attacks.” It states that the fix will ensure no security relevant files can be deleted.
However, it also urges caution when applying the fix as it’s difficult to predict the likelihood of any backwards compatibility issues with installed WordPress plugins.
As a user account is required to exploit the vulnerability, RIPS states it’s unlikely to affect WordPress sites at scale. However, if a site maintains multiple user accounts it recommends applying the fix.