There has been a new WordPress vulnerability discovered that can give an attacker the ability to delete files on the web server and take control of your web site. This was reported on the WordFence blog on June 27th.
This vulnerability applies to anyone logged in to a WordPress website with user credentials of Author, Editor, or Administrator. These roles have permissions to upload and delete media attachments and edit their metadata. And attacker could upload code to define a thumbnail, but by changing the relative path to a different targeted website file, and then the attacker could them delete that file. Some important configuration files that could be targets of this deletion attack include:
- wp-config.php: Deleting this file in a WordPress installation would cause WordPress to behave as if this were a new installation. The wp-config.php file contains the database credentials, and without those, an attacker could start the installation process over, creating their own Administrator account and, finally, upload, install, and execute malicious code on the server.
- .htaccess: Usually, deleting this file does not affect security, but sometimes, the .htaccess file contains security related limits preventing access to certain folders. Deleting this file would remove those security constraints.
- index.php files: Empty index.php files are sometimes placed into directories to prevent directory listing. Deleting those files would give the attacker a listing of all files in protected directories.
The point is that by deleting files containing credentials and security controls, an attacker can hijack the website and use it in a variety of exploits, including crypto-mining, malware distribution, and hosting a phishing exploit landing page, as well as giving them access customer information that may be stored in the database.
As of June 28, 2018, there is no update to WordPress that fixes this flaw, but updating your site to the next WordPress version will be critical. Currently, WordFence Premium users have already been protected, WordFence free users will receive a security update shortly.
More information:
ShareJUL
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com