Researchers Slavco Mihajloski and Karim El Ouerghemmi reported that malicious actors could exploit an arbitrary file deletion vulnerability (CVE-2018-12895) on popular CMS platform WordPress, allowing them to gain control, edit or delete any media files, and run arbitrary code. This flaw affects all versions of WordPress, and while the flaw requires a user account that prevents abuse at scale, WordPress sites that share multiple user accounts may be more susceptible. The vulnerability remains unpatched even after disclosing it to the developers, but the researchers released a hotfix.
Once exploited, the WordPress vulnerability escalates privileges of the unauthorized actor to an account as low as Author. The exploit also allows attackers to abuse the platform for another flaw or misconfiguration. The attacker can delete any or all WordPress installations to circumvent security systems or any file in the server in which the user has PHP process permissions. Files such as .htaccess, index.php,andwp-config.php circumvent security constraints in place, grant access to all WordPress directories, and contain credentials, allowing threat actors to reinstall WordPress on the next visit and reset admin authorizations of their choice to run the arbitrary code on the server.
The security researchers reported the flaws in November 2017 through bug bounty platform Hackerone, but while the WordPress security team initially confirmed the concern and responded to release solutions by January 2018, the developers didn't provide feedback or release a fix. WordPress is one of the most popular online CMS platforms, and threat actors may take advantage of this to take control of various businesses’ websites.
Not all businesses have their own IT personnel to maintain their servers and sites, and enterprises rely on third-party CMS platforms for its ease of use and low-level maintenance requirements. Ensure that your business’ reputation is safe with some of these security practices:
Install available solutions or virtual patches from legitimate providers.
Enable 2FA for user accounts whenever available. Another authentication layer affords an additional line of defense to deter threat actors.