Arbitrary File Deletion Flaw Present in WordPress Core
The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.
By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.
It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.
In a standard WordPress installation any logged-in user with a role of Author or higher has the ability to upload media attachments and edit their metadata, like images and their descriptions. A flaw in the process of updating attachment metadata allows a malicious user to submit unsanitized input in defining a thumbnail for the media file. By defining relative paths to targeted files as the “thumbnail” of an image, these files would be deleted alongside the actual thumbnails when the image is deleted from the media library.
Several potential consequences of an arbitrary file deletion vulnerability were discussed in the disclosure report but, most critically, a site’s wp-config.php file can be deleted. With no wp-config.php in place, WordPress is forced to assume that a fresh installation is taking place. From this point, the attacker can configure their own WordPress installation with themselves as an administrator, which they can then use to upload and execute any other scripts they wish.
What To Do
Until an official update is released to patch the flaw, we’ve pushed an update to the Wordfence firewall to prevent this vulnerability from being exploited. Premium Wordfence users will have received the update before this article publishes, while free users will receive it thirty days later.
In the absence of the protection of our firewall, remember that an attacker must have access to a user account with Author permissions or higher. While this does strictly limit the attack surface of this vulnerability, be advised that credential stuffing attacks have increased in value, as there are now a larger pool of active accounts with the effective ability to take down a site. Wordfence includes robust login security features, including leaked password protection which we released in March.
Please help create awareness of this vulnerability in the WordPress community, because many WordPress site owners are not aware of the risks of unsecured ‘Author’ level accounts.