Exclusive: if you haven’t updated your site to the latest version of WordPress 5.0.3, it’s a great idea to update your site’s content management software now. From now on, I mean immediately.
Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with us, revealing the existence of a critical remote code execution vulnerability that affects all previous versions of WordPress content management software released in the past. 6 years
The remote code execution attack detected and reported to the WordPress security group at the end of last year can be exploited by an attacker with low privileges, who has at least one “author” account using a combination of two separate vulnerabilities: The path and local inclusion of files are in the WordPress core.
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” Scannell says.
Requiring at least one author’s account to some extent reduces the severity of this vulnerability, which can be exploited by a member of dishonest content or an attacker who somehow manages to obtain author credentials by phishing, re-using a password or other attacks.
Video demo: here’s how the attack works
According to Simon Scannell, a researcher at RIPS Technologies GmbH, the attack uses the way that the WordPress image management system processes Post Meta records used to store the description, size, creator, and other image meta information. loaded.
Scannell discovered that a malicious or hacked author’s account can modify any record associated with an image and set arbitrary values for it, which leads to vulnerability on the way.
Error paths in combination with the error of the inclusion of a local file in the subject directory may allow an attacker to execute arbitrary code on the destination server.
The attack, as shown in the conceptual video published by the researcher, can be completed in seconds to take full control of the vulnerable WordPress blog.
According to Scannell, the code execution attack became unused in WordPress versions 5.0.1 and 4.9.9 after a patch was released for another vulnerability that prevented unauthorized users from installing random Post Meta entries.
“The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to an HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php,” Scannell explains.
And, “it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg.”
However, the Path Traversal defect has not yet been fixed, even in the latest version of WordPress, and can be used if any third-party add-on installed incorrectly processes the meta-post entries.
Scannell has confirmed that the next version of WordPress will include a solution to fully solve the problem, as demonstrated by the researcher.