A vulnerability has been discovered in WordPress sites that could allow a low privileged attacker to gain full control of a user’s site and execute arbitrary code. The vulnerability was first reported seven months ago to WordPress; however, the vulnerability still exists. It resides in a core function of WordPress, which runs in the background when the user is permanently deleting thumbnails of uploaded images. According to researchers, “the thumbnail delete function accepts unsanitized user input which, if tampered with, could allow users with limited-privileges of at least an author to delete any file from the web hosting, which otherwise should only be allowed to server or site admins.” The attacker can delete any critical file such as “.htaccess” from the server. Since “.htaccess” files contain security related configurations, this could be an attempt to disable any type of protection. If “wp-config.php” files are deleted (important configuration files in WordPress), this could force the site back to the installation screen, which allows the attacker to reconfigure the site from the browser and ultimately gaining full control. Once the attacker gains full control, a new admin account can be created which then allows execution of arbitrary code. It is worth noting that “the attacker can’t directly read the content of wp-config.php file to know the existing database name, mysql username, and its password, he can re-setup the targeted site using a remote database server in his control.” It is unclear when WordPress will patch the vulnerability, but researchers have provided a “hotfix” to address the issue.
