Arbitrary File Deletion Flaw Present in WordPress Core

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.

By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.

It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.

Vulnerability Summary

In a standard WordPress installation any logged-in user with a role of Author or higher has the ability to upload media attachments and edit their metadata, like images and their descriptions. A flaw in the process of updating attachment metadata allows a malicious user to submit unsanitized input in defining a thumbnail for the media file. By defining relative paths to targeted files as the “thumbnail” of an image, these files would be deleted alongside the actual thumbnails when the image is deleted from the media library.

Several potential consequences of an arbitrary file deletion vulnerability were discussed in the disclosure report but, most critically, a site’s wp-config.php file can be deleted. With no wp-config.php in place, WordPress is forced to assume that a fresh installation is taking place. From this point, the attacker can configure their own WordPress installation with themselves as an administrator, which they can then use to upload and execute any other scripts they wish.

What To Do

Until an official update is released to patch the flaw, we’ve pushed an update to the Wordfence firewall to prevent this vulnerability from being exploited. Premium Wordfence users will have received the update before this article publishes, while free users will receive it thirty days later.

In the absence of the protection of our firewall, remember that an attacker must have access to a user account with Author permissions or higher. While this does strictly limit the attack surface of this vulnerability, be advised that credential stuffing attacks have increased in value, as there are now a larger pool of active accounts with the effective ability to take down a site. Wordfence includes robust login security features, including leaked password protection which we released in March.

Please help create awareness of this vulnerability in the WordPress community, because many WordPress site owners are not aware of the risks of unsecured ‘Author’ level accounts.

Did you enjoy this post? Share it!

Comments

41 Comments
  • Although deleting wp-config.php triggers the WordPress installation process, the attacker does not know the database credentials and therefore may be blocked from taking control of the WordPress site as the install process will not complete without valid credentials. Another good reason to have a strong password for your WordPress database.

    • Hi,

      The attacker can point the site to their own mysql instance. They don't need the DB to be the site's own database to get file write access.

      Mark.

  • I'm startled that Wordfence would publicize this vulnerability in this way: Requiring users to buy the Premium version in order to get immediate protection while simultaneously advertising the vulnerability to every malicious hacker who hasn't already discovered the exploit. This seems unethical to me.
    I'm a Premium user, and I normally share these messages on Facebook, but in this case I decline to be part of commercial extortion.
    Shame on you!

    • Hi Kenneth,

      The unfortunate reality is that too often, WordPress site owners are the last to know of a vulnerability or new threat. We're trying to change that.

      This issue was in the news yesterday on several sites including BleepingComputer: https://www.bleepingcomputer.com/news/security/unpatched-flaw-disclosed-in-wordpress-cms-core/

      ...among others. I found Catalin's article on Bleeping when I did a check earlier today by simply searching for 'wordpress vulnerability' on google news. So this data is out there for anyone who does a quick google search. Our role in this is to make sure hackers don't have better data than WP site owners defending their sites.

      Regards,

      Mark.

  • How would an attacker be able to get author level credentials without admin approval?

    • Hi John,

      Usually through a compromised account. An author level user might reuse a password on another site that is compromised. The attacker gets access to the breached user accounts DB and uses that to compromise the Author level account. We've seen major data breaches that happened this way.

      Mark.

  • In order to delete the wp-config.php, wouldn't the docroot need to be chmod 777 or set the owner to the web server's user id?

    I think apache usually runs as "apache" or "nobody", unless the webmaster gave it higher user or group privileges

    • The web user simply needs write access to the wp-config.php to be able to delete it. That is a common scenario on WordPress websites because, for convenience sake, WordPress is given write access to everything so that it can perform upgrades. This can happen through a variety of ownership and file permission combinations.

      Mark.

  • This security update is great service for a first-class security plugin. Real help comes additionally with an affordable Wordfence Premium plugin. Keep going. It keeps my website safer. Thanks.

  • This will NOT happen if you have proper permissions!

    If you set the entire wordpress tree (but uploads, cache, upgrade) to
    chmod 0640 all files
    chmod 0750 all directories
    chown SOMEEDITORUSER.apache all files/directories
    the process running the apache server will not be able to do anything, simple as that.

    Upgrade and install wordpress using ssh2 with the ssh2 process running under SOMEEDITORUSER.

    Problem solved.

    • These instructions are quite specific and may not work for all environments. For example, you're suggesting they "Upgrade and install wordpress using ssh2 with the ssh2 process running under SOMEEDITORUSER.". I'm assuming you're suggesting ssh2 because it includes SFTP, and your assumption is that if they use that server running as that username, the uploaded files will be owned by SOMEEDITORUSER, which is not the web user, and your 0640 permissions will disallow file writes. That may work for you, but most site owners don't have the ability to choose which SSH daemon they access their site with and which user it runs as.

      But I think the thrust of your argument is that if you ensure that the web user and group does not have write access to the WordPress files, then you can't delete or overwrite wp-config.php with this kind of exploit. That is true, but you also lose the ability to upgrade things or install plugins or themes via the WP interface. That makes it harder to keep plugins up to date which can introduce it's own risks.

      One interesting option is, instead of making all files unwritable by the web server, to just make wp-config.php unwritable. Unfortunately even this creates problems because some plugins modify wp-config.php when they're installed or upgraded. And so again, this will limit your ability to upgrade or install some things via the WP user interface.

      Regards,

      Mark.

  • @kenneth - I have to disagree. Wordfence do a great job of keeping us informed of vulnerabilities and providing action we can take to mitigate the risk. Just imagine if your site was hacked and they hadn’t warned you, how you would react then!

    @Mark - how does this affect Buddypress websites? Does it mean that a user could create a login and exploit the vulnerability easily?

    • If the user has Author level access, then yes, they would be able to escalate their privileges. Most members on buddypress AFAIK have lower privs, so not an issue for them.

  • nice update. thanks for sharing.

  • Thanks for sharing, it's indeed limited in scope but still pretty bad. Do you know how long it generally takes for the core to be updated following security issues like this one?

    • In this case the core team have known about this issue for 7 months and haven't gotten to it yet. They may have reasons we're not aware of, like compatibility issues for example. This vulnerability became high profile this week due to the disclosure from RIPS that we link to above.

  • @kenneth grant - I think it's a bit reactionary to accuse Wordfence of "extortion". I found out about this yesterday and actually thought to myself "it will be great that Wordfence will more than likely email everyone to let them know about this in the next 24 hours". What's Wordfence's alternative - push out an update to their free version to protect everyone? How can they continue to make the product if they protect everyone for free? I admit they are in an invidious position whereby they have to charge people to protect them but I would be much quicker to blame the bad actors that have created this situation rather than WordFence who do a fantastic job keeping the community up to date on these attack vectors.

    I don't work for Wordfence (I don't even have a premium account) but I felt I needed to chime in here to back them up. You can't cast shame on a company like that without considering all the angles.

    • Thanks Loughlin. There is always tension between free and paid when you are providing something security related - and I include hospitals in that category. Do you treat a sick patient who can't afford to be treated? Should everyone get free medical care? If so, who pays for the doctors?

      In our case we have some of the best doctors in the world who have acquired very expensive security certifications. They also have families who need housing, food, etc. And working for Defiant is their full-time job. It's all they do. Myself included. Our team is now 35 highly talented individuals.

      I think what we have done is a really great compromise. Rather than having a purely commercial product, our product is free and open source and you get a fully functioning security feed. The only down-side is that it is delayed by 30 days which creates an incentive to upgrade. Millions of websites use our free version to protect themselves from a large range of threats. And so we are able to perform a public good by providing that protection to millions, while simultaneously ensuring that we can continue to develop, innovate and support the product and our customers. Then for our paid customers, we have a bleeding edge version that is on top of the very latest threats and has excellent support from our team.

      Mark.

  • Mark,
    Thank you for the updates and guidance - and thank you for a great tool.

    Kenneth,
    Extortion would be telling free users to switch to the premium version or we'll provide your information to hackers who will destroy your site.

    Instead, this helps free users like me understand the risks of using the free version with respect to our circumstances and helps us decide if we need to switch to the premium version. This specific issue is not enough to justify moving my sites to the premium version. But in appreciation for the value this provides, I will move at least one site to the premium version.

    • Thanks Kevin. We very much appreciate your support. Glad to have you as a Premium customer! You are helping fund both the community and Premium versions of Wordfence.

  • Have to agree with Kenneth Grant on this one. The 30-day delay to solicit Premium customers seems like a desperate way to run a railroad. I, too, am a big fan of the Premium version but not because of gimmicks like this. Come on, Mark. Do the right thing!

    • Hi Ward,

      The right thing? Sure, I'll start the layoffs now. Would you mind letting my team know they're all going to be without jobs tomorrow and we're shutting down? Thanks.

      Come on guys, this is absurd. And I'm not sure you're aware of how absurd your argument is, so let me enlighten you.

      The business that is Defiant today was actually started in 2006 by Kerry Boyte (my wife) and myself. We started a free geoblogging platform which got quite a few users and was completely free (geojoey.com). We weren't charging for it, but it cost us a lot of money. We burnt through some of our life savings to make that happen and because it didn't make any money, we had to shut it down.

      Then we pivoted into providing Feedjit.com, which was a real-time traffic feed. Feedjit became incredibly popular and some of you will remember that. Because Feedjit was free, and because it was incredibly popular, it was expensive to run and maintain, but the growth was very exciting and we were sure that we could have it make money at some point, because how can you possibly have a million websites using your product and not be making money, right?

      Well guess what. We burned through Kerry's 401K. We burned through my life savings. And we kept going. We eventually started to hit a financial wall. We eventually couldn't afford the place we were renting, so we sold a car to pay the last month's rent, moved out, drove to Colorado and lived with my parents in law for a year while we struggled to keep this business running. It was Colorado where I started to pivot this business into cyber security. I remember sitting in a room upstairs in my parent's in law's home thinking "I am not going to quit. I will create a sustainable business. I am smart. I'm going to take a systematic approach to this."

      I sat in that chair and came up with criteria that defined a good business for us to be in. I still use those criteria today when evaluating new product/market combinations. On that day I invented Wordfence and we began to dig our way out of the financial hole we are in.

      Kerry and I launched Wordfence and we launched a free and paid version at the same time. The paid version is what has allowed us to grow this team and business to 35 people today. Kerry and I eventually paid off the incredibly large pile of debt we had on credit cards etc. Today we are on modest salaries as we continue to fund innovation and the team behind Wordfence.

      So when you tell me to do the right thing, I'd like to know what you mean specifically? Would you like me to give this product away free, like we did with Feedjit? Perhaps lay off our team and lose the best security analysts and developers in the world - shrink us down to a team of two again, struggling for survival?

      Or would you prefer that we continue to provide a free product with free security feed to millions and have a paid version with some additional benefits? Some companies may just scrap the free version altogether to avoid this conversation - and focus on providing a high priced premium product. I don't want to do that because I care deeply about the security of the WordPress community - which is why we blog regularly and why we have a free and open source product.

      Mark.

  • Thanks for the update on this matter. I will definitely have my IT personnel check on this as this post some serious issues for several websites.

  • Wouldn't simple file ownership prevent the vulnerability?

    • Hi Adam,

      Please see my comments to another poster here about some of the disadvantages of changing file permissions to fix this. Specifically, some plugins modify wp-config.php on install or upgrade and that will break.

      Mark.

  • Kenneth, take a look at the "detailed report by RIPS Technologies" link in the first paragraph. They discovered the vulnerability and reported it privately to WordPress Security back in November, and waited until just two days ago to publish their findings publicly. Waiting for nearly 7 months is well past the industry standard for responsible disclosures, which is often in the 30-90 day range. And RIPS also went above and beyond by providing their own hotfix solution for anyone to review and implement themselves. Wordfence is just helping to spread the word!

  • Mark, what about a multisite sub-domain instance. Can a user who registers to one of the sites within the multisite instance (with Author or higher role) be able to delete the wp-config.php file of the whole instance?

    • Hi Richard,

      While we haven't modeled and tested this specifically, I've chatted with two of our analysts and they think it may be feasible to exploit this from an Author level account on a single site on a multi-site installation.

      Mark.

      • I have confirmed that the firewall rules active on Premium now protects both Multi-site and single-site installations. So you're good to go if you're on Premium.

  • Mark,
    I have used and recommend Wordfence to everyone. Those who do not understand or appreciate the work that goes into software development and believe FREE means a right to the same as PAID are the reason good software disappears. Like yourself I know the true cost of good developers, free software and users who never pay, it cost me dearly as well. We do it for the love of what we do, but we still have bills, mouths to feed. Excellent product, keep up the good work.

    • Thanks Peter.

  • Reading some of the negative comments above regarding "extortion" etc. is very depressing. I guess it's symptomatic of the more general view amongst a wide section of society that everything on the internet is (or should be) free.

    Mark & his colleagues have built a superb product that should be valued by all of its users whether paid or "free". How Defiant chooses to conduct its business is entirely up to them & anyone who has run a software services business knows how difficult that is - the landscape changes constantly. Personally, I can't imagine not running the Premium version on a non-trivial website. I mean, $40pa won't even cover my coffee bill for a month!

    Keep up the great work guys, you rock!

    • Thanks Nick!

  • Hi Mark, I can only agree with your comments to Ward Mundy. What sort of mentality is it to winge about a product where even the free version has great benefits. Of course a company has to make some profit to be able to continue to provide salaries and development. I definitely appreciate your efforts, your dedication and your always interesting information. Personally I wouldn’t wait one minute to go for premium if I had a valuable site to protect, right now my site doesn’t warrant it and can be replaced in five minutes. But I am grateful for the free version, even if it’s just for good reading of the logs where the constant attacks are coming from. ...still can’t understand how anyone got the nerve to winge about this !

  • @Mark Maunder

    I read carefully what you wrote. It's really hard to break into business. Admiration for your labor! But it should be noted that other developers have also been working on removing vulnerabilities. And it is a fact that in their new versions this problem has been eliminated. Another fact is that their products are free and have upgraded their plug-ins in good time - free of charge. Because the most important thing is to eliminate the danger, right Mark?

    Best regards.

  • Hi there Mark, Thanks for great updates. I am also a customer of free WordFence since 2014 and I don't miss any updates from you. Your team is so talented security professional. I have a single person blog and i don't allow anyone to register account on my WP site so that it helps me to mitigate from this exploit.

  • Mark,

    Thank you for sharing your story, and continued success to you.

  • Mark I really appreciate all you and the team have done to create Wordfence...both free and premium. You offer an outstanding service. Ignore the critics. If they don't like the way your model is set up then that's their problem. Don't feel you need to justify yourself.
    I think the way you offer free and premium is an awesome compromise. Personally I run the Premium because I like that added security. But I have lots of clients who are happy to keep using the free...and that's perfectly OK too.
    I did enjoy hearing your background story and the history of your company, so perhaps a good thing came out of the nay saying! Thanks for sharing and showing you are human!

    • Thanks Lois!

  • Was this patched in 4.9.7, which is pushing out today as a security fix?