New WordPress Vulnerability

There has been a new WordPress vulnerability discovered that can give an attacker the ability to delete files on the web server and take control of your web site.  This was reported on the WordFence blog on June 27th.

This vulnerability applies to anyone logged in to a WordPress website with user credentials of Author, Editor, or Administrator.  These roles have permissions to upload and delete media attachments and edit their metadata.  And attacker could upload code to define a thumbnail, but by changing the relative path to a different targeted website file, and then the attacker could them delete that file.  Some important configuration files that could be targets of this deletion attack include:

  • wp-config.php: Deleting this file in a WordPress installation would cause WordPress to behave as if this were a new installation. The wp-config.php file contains the database credentials, and without those, an attacker could start the installation process over, creating their own Administrator account and, finally, upload, install, and execute malicious code on the server.
  • .htaccess: Usually, deleting this file does not affect security, but sometimes, the .htaccess file contains security related limits preventing access to certain folders. Deleting this file would remove those security constraints.
  • index.php files: Empty index.php files are sometimes placed into directories to prevent directory listing. Deleting those files would give the attacker a listing of all files in protected directories.

The point is that by deleting files containing credentials and security controls, an attacker can hijack the website and use it in a variety of exploits, including crypto-mining, malware distribution, and hosting a phishing exploit landing page, as well as giving them access customer information that may be stored in the database.

As of June 28, 2018, there is no update to WordPress that fixes this flaw, but updating your site to the next WordPress version will be critical.   Currently, WordFence Premium users have already been protected, WordFence free users will receive a security update shortly.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.