New WordPress Vulnerability

There has been a new WordPress vulnerability discovered that can give an attacker the ability to delete files on the web server and take control of your web site.  This was reported on the WordFence blog on June 27th.

This vulnerability applies to anyone logged in to a WordPress website with user credentials of Author, Editor, or Administrator.  These roles have permissions to upload and delete media attachments and edit their metadata.  And attacker could upload code to define a thumbnail, but by changing the relative path to a different targeted website file, and then the attacker could them delete that file.  Some important configuration files that could be targets of this deletion attack include:

  • wp-config.php: Deleting this file in a WordPress installation would cause WordPress to behave as if this were a new installation. The wp-config.php file contains the database credentials, and without those, an attacker could start the installation process over, creating their own Administrator account and, finally, upload, install, and execute malicious code on the server.
  • .htaccess: Usually, deleting this file does not affect security, but sometimes, the .htaccess file contains security related limits preventing access to certain folders. Deleting this file would remove those security constraints.
  • index.php files: Empty index.php files are sometimes placed into directories to prevent directory listing. Deleting those files would give the attacker a listing of all files in protected directories.

The point is that by deleting files containing credentials and security controls, an attacker can hijack the website and use it in a variety of exploits, including crypto-mining, malware distribution, and hosting a phishing exploit landing page, as well as giving them access customer information that may be stored in the database.

As of June 28, 2018, there is no update to WordPress that fixes this flaw, but updating your site to the next WordPress version will be critical.   Currently, WordFence Premium users have already been protected, WordFence free users will receive a security update shortly.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.