Unpatched WordPress Vulnerability Leads To Deletion, Code Execution

Researchers Slavco Mihajloski and Karim El Ouerghemmi reported that malicious actors could exploit an arbitrary file deletion vulnerability (CVE-2018-12895) on popular CMS platform WordPress, allowing them to gain control, edit or delete any media files, and run arbitrary code. This flaw affects all versions of WordPress, and while the flaw requires a user account that prevents abuse at scale, WordPress sites that share multiple user accounts may be more susceptible. The vulnerability remains unpatched even after disclosing it to the developers, but the researchers released a hotfix.

[Read: WordPress Woes: A fake plugin and three Zero-Day vulnerabilities found]

Once exploited, the WordPress vulnerability escalates privileges of the unauthorized actor to an account as low as Author. The exploit also allows attackers to abuse the platform for another flaw or misconfiguration. The attacker can delete any or all WordPress installations to circumvent security systems or any file in the server in which the user has PHP process permissions. Files such as .htaccess, index.php,and wp-config.php circumvent security constraints in place, grant access to all WordPress directories, and contain credentials, allowing threat actors to reinstall WordPress on the next visit and reset admin authorizations of their choice to run the arbitrary code on the server.

The security researchers reported the flaws in November 2017 through bug bounty platform Hackerone, but while the WordPress security team initially confirmed the concern and responded to release solutions by January 2018, the developers didn't provide feedback or release a fix. WordPress is one of the most popular online CMS platforms, and threat actors may take advantage of this to take control of various businesses’ websites.

[Read: Thousands of malware-infected WordPress sites highlight the need for comprehensive security]

Not all businesses have their own IT personnel to maintain their servers and sites, and enterprises rely on third-party CMS platforms for its ease of use and low-level maintenance requirements. Ensure that your business’ reputation is safe with some of these security practices:

  • Install available solutions or virtual patches from legitimate providers.
  • Enable 2FA for user accounts whenever available. Another authentication layer affords an additional line of defense to deter threat actors.
  • Practice network segmentation and data classification. Having strict access and authorization guidelines can limit who has access to create, revise, and delete specific data.

The following Trend Micro products protect customers from possible exploitation of the above vulnerability:

  • Trend Micro Deep Security customers are protected using the following rule:
    1009168 - WordPress Authenticated Arbitrary File Deletion Vulnerability (CVE-2018-12895)
  • Trend Micro TippingPoint customers are also protected by using the following rule:
    32480: HTTP: WordPress wp_delete_attachment Directory Traversal Vulnerability

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.