Today, Karim El Ouerghemmi discloses a critical WordPress vulnerability allowing any author, editor, administrator to delete any file of the installation, in any folder, without any tool.
In less than 1 minute, a website can be gone. The flaw is known from WordPress Core Security Team since about 7 months but still no patch has been released, this is why Karim disclosed it.
Why disclose this if it’s critical!?
The answer is in the question: because it’s critical and if a security researcher could find it, a hack could find it too. We (me, you) have to spread the world about the vulnerability to show everyone how easy is it to hack a WordPress website if you have any author/editor/administrator (other than you) on your website.
Where is the flaw?
wp_delete_attachment() is guilty here:
unlink() statement will delete the file contained in the media’s metadata named
thumb. But, how is this meta filled? Let’s see that in
The metadata is just the raw value of the user’s input from a form, no sanitization, no filter, no escaping, nothing.
Is it exploitable yet? Easily?
Sadly yes, in less than 1 minute an author can delete any file from the website like
wp-config.php (one of the worst right?) but also an attacker could remove the main file of a security plugin to prevent it to be loaded, and then, perform deepest and more discreet attacks, because let’s say it, breaking a website as a hacker doesn’t worth it most of the time, defacing is a thing, stealing data is a thing, breaking is not.
Let’s see that in a 55 sec video:
How can I secure my website now?
If you’re already using SecuPress (free or pro version) 126.96.36.199 of more, your website is already secure because we included the following hotfix from Karim (with another function name to prevent duplicate names):
Install SecuPress now and secure your website in a minute!