wordpress remote code execution

Security researchers at RIPS Technologies GmbH shared their latest research, revealing a critical remote code execution vulnerability that affects all previous versions of WordPress released in the past 6 years.

The remote code execution vulnerability can be exploited by an attacker with "author" account using a combination of two vulnerabilities—Path Traversal and Local File Inclusion—which resides in the WordPress core.

The requirement of an author account reduces the risk to some extent, but it could be still exploited by a rogue contributor or an attacker who manages to gain credentials.

Here's How it Works

According to Simon Scannell, an attacker can take advantage of the image management system which stores metadata such as description, size, creator, and other information. A rogue or compromised account can modify entries associated with an image and set them to arbitrary values, leading to the vulnerability.

"The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to an HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php," Scannell explains.

And, "it is still possible to plant the resulting image into any directory by using a payload such as evil.jpg?/../../evil.jpg."

The vulnerability can be exploited to gain complete control over a WordPress blog with unpatched version. The code execution attack became non-exploitable in WordPress version 5.0.1 and 4.9.9 since they were patched for another vulnerability which prevented users from setting arbitrary Post Meta entries.

The flaw can be exploited if any installed 3rd-party plugin incorrectly handles post meta entries.

This article was published on Hack Hex website, under Security section, written by Dawood Khan. Share & leave us some comments on what you think about this topic or if you like to add something.

Tags: hack wordpress, hacking news, remote code execution, Vulnerability, WordPress, Wordpress hacking, wordpress security,