UPDATE—WordPress has released version 4.9.7 to lastly while this vulnerability that could allow remote attackers to make total command over affected websites. You are recommended to install the latest available version of WordPress every bit presently every bit possible.
Last calendar week nosotros received a tip most an unpatched vulnerability inward the WordPress core, which could allow a low-privileged user to hijack the whole site as well as execute arbitrary code on the server.
Discovered past times researchers at RIPS Technologies GmbH, the "authenticated arbitrary file deletion" vulnerability was reported vii months agone to the WordPress safety squad simply remains unpatched as well as affects all versions of WordPress, including the electrical flow 4.9.6.
The vulnerability resides inward ane of the marrow functions of WordPress that runs inward the background when a user permanently deletes thumbnail of an uploaded image.
Researchers honor that the thumbnail delete role accepts unsanitized user input, which if tempered, could allow users amongst limited-privileges of at to the lowest degree an writer to delete whatever file from the spider web hosting, which otherwise should exclusively live allowed to server or site admins.
The requirement of at to the lowest degree an writer concern human relationship automatically reduces the severity of this flaw to to a greater extent than or less extent, which could live exploited past times a rogue content contributor or a hacker who somehow gains author's credential using phishing, password reuse or other attacks.
Researchers nation that using this flaw an assailant tin delete whatever critical files similar ".htaccess" from the server, which unremarkably contains security-related configurations, inward an campaign to disable protection.
Besides this, deleting "wp-config.php" file—one of the most of import configuration files inward WordPress installation that contains database connector information—could forcefulness entire website dorsum to the installation screen, allegedly allowing the assailant to reconfigure the website from the browser as well as convey over its command completely.
Once complete, the assailant tin practise a novel admin concern human relationship as well as convey consummate command over the website, including the might to execute arbitrary code on the server.
"Besides the possibility of erasing the whole WordPress installation, which tin cause got disastrous consequences if no electrical flow backup is available, an assailant tin brand work of the capability of arbitrary file deletion to circumvent to a greater extent than or less safety measures as well as to execute arbitrary code on the spider web server," researchers say.In a proof-of-concept video published past times the researchers, every bit shown above, the vulnerability worked perfectly every bit described as well as forced the site to re-installation screen.
However, every bit of now, website admins should non panic due to this vulnerability as well as tin manually apply a hotfix provided past times the researchers.
We await the WordPress safety squad would while this vulnerability inward the upcoming version of its CMS software.
