New WordPress Vulnerability

There has been a new WordPress vulnerability discovered that can give an attacker the ability to delete files on the web server and take control of your web site.  This was reported on the WordFence blog on June 27th.

This vulnerability applies to anyone logged in to a WordPress website with user credentials of Author, Editor, or Administrator.  These roles have permissions to upload and delete media attachments and edit their metadata.  And attacker could upload code to define a thumbnail, but by changing the relative path to a different targeted website file, and then the attacker could them delete that file.  Some important configuration files that could be targets of this deletion attack include:

  • wp-config.php: Deleting this file in a WordPress installation would cause WordPress to behave as if this were a new installation. The wp-config.php file contains the database credentials, and without those, an attacker could start the installation process over, creating their own Administrator account and, finally, upload, install, and execute malicious code on the server.
  • .htaccess: Usually, deleting this file does not affect security, but sometimes, the .htaccess file contains security related limits preventing access to certain folders. Deleting this file would remove those security constraints.
  • index.php files: Empty index.php files are sometimes placed into directories to prevent directory listing. Deleting those files would give the attacker a listing of all files in protected directories.

The point is that by deleting files containing credentials and security controls, an attacker can hijack the website and use it in a variety of exploits, including crypto-mining, malware distribution, and hosting a phishing exploit landing page, as well as giving them access customer information that may be stored in the database.

As of June 28, 2018, there is no update to WordPress that fixes this flaw, but updating your site to the next WordPress version will be critical.   Currently, WordFence Premium users have already been protected, WordFence free users will receive a security update shortly.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.