Security researchers from RIPS disclosed today details about an unpatched security flaw impacting WordPress, the Internet's most popular content management system (CMS).
RIPS researchers say they have told the WordPress team about this particular vulnerability in November last year, but the WordPress devs have failed to release a patch.
The vulnerability affects the core of the WordPress CMS, and not one of its plugins or themes. More precisely, the bug was found in the PHP functions that deletes thumbnails for images uploaded on a WordPress site.
The vulnerability is... and is not... a big deal
RIPS researchers discovered that users who have access to the post editor —and can upload or delete images (and their thumbs)— can insert malicious code in a WordPress site that deletes crucial files part of the WordPress CMS core, something that should not be possible in any way without access to the server's FTP.
The severity of this vulnerability is greatly reduced by the fact that only users of a certain access level (Author or higher) can exploit this bug, as only those users have the ability to create posts and manage associated images and thumbnails.
Nonetheless, RIPS experts warn that if an attacker manages to register even a low-level "User" account on a site and then elevate its privileges, he can exploit this vulnerability to hijack sites.
They can hijack sites because the vulnerability allows attackers to delete wp-config.php, which is a site's config file. Attackers who delete this file can re-initiate the installation process and install the site using their own database settings, effectively hijacking the site to deliver custom or malicious content.
A video showing the RIPS team using the vulnerability to hijack a site is embedded below.
.... ...