Researchers Slavco Mihajloski and Karim El Ouerghemmi reported that malicious actors could exploit an arbitrary file deletion vulnerability (CVE-2018-12895) on popular CMS platform WordPress, allowing them to gain control, edit or delete any media files, and run arbitrary code. This flaw affects all versions of WordPress, and while the flaw requires a user account that prevents abuse at scale, WordPress sites that share multiple user accounts may be more susceptible. The vulnerability remains unpatched even after disclosing it to the developers, but the researchers released a hotfix.
Once exploited, the WordPress vulnerability escalates privileges of the unauthorized actor to an account as low as Author. The exploit also allows attackers to abuse the platform for another flaw or misconfiguration. The attacker can delete any or all WordPress installations to circumvent security systems or any file in the server in which the user has PHP process permissions. Files such as .htaccess, index.php
The security researchers reported the flaws in November 2017 through bug bounty platform Hackerone, but while the WordPress security team initially confirmed the concern and responded to release solutions by January 2018, the developers didn't provide feedback or release a fix. WordPress is one of the most popular online CMS platforms, and threat actors may take advantage of this to take control of various businesses’ websites.
Not all businesses have their own IT personnel to maintain their servers and sites, and enterprises rely on third-party CMS platforms for its ease of use and low-level maintenance requirements. Ensure that your business’ reputation is safe with some of these security practices:
The following Trend Micro products protect customers from
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.