There has been a new WordPress vulnerability discovered that can give an attacker the ability to delete files on the web server and take control of your web site. This was reported on the WordFence blog on June 27th.
This vulnerability applies to anyone logged in to a WordPress website with user credentials of Author, Editor, or Administrator. These roles have permissions to upload and delete media attachments and edit their metadata. And attacker could upload code to define a thumbnail, but by changing the relative path to a different targeted website file, and then the attacker could them delete that file. Some important configuration files that could be targets of this deletion attack include:
- wp-config.php: Deleting this file in a WordPress installation would cause WordPress to behave as if this were a new installation. The wp-config.php file contains the database credentials, and without those, an attacker could start the installation process over, creating their own Administrator account and, finally, upload, install, and execute malicious code on the server.
- .htaccess: Usually, deleting this file does not affect security, but sometimes, the .htaccess file contains security related limits preventing access to certain folders. Deleting this file would remove those security constraints.
- index.php files: Empty index.php files are sometimes placed into directories to prevent directory listing. Deleting those files would give the attacker a listing of all files in protected directories.
The point is that by deleting files containing credentials and security controls, an attacker can hijack the website and use it in a variety of exploits, including crypto-mining, malware distribution, and hosting a phishing exploit landing page, as well as giving them access customer information that may be stored in the database.
As of June 28, 2018, there is no update to WordPress that fixes this flaw, but updating your site to the next WordPress version will be critical. Currently, WordFence Premium users have already been protected, WordFence free users will receive a security update shortly.