WordPress 4.9.6 Vulnerability let authors delete any file, updated video

Today, Karim El Ouerghemmi discloses a critical WordPress vulnerability allowing any author, editor, administrator to delete any file of the installation, in any folder, without any tool.

In less than 1 minute, a website can be gone. The flaw is known from WordPress Core Security Team since about 7 months but still no patch has been released, this is why Karim disclosed it.

Why disclose this if it’s critical!?

The answer is in the question: because it’s critical and if a security researcher could find it, a hack could find it too. We (me, you) have to spread the world about the vulnerability to show everyone how easy is it to hack a WordPress website if you have any author/editor/administrator (other than you) on your website.

Where is the flaw?

The function wp_delete_attachment() is guilty here:

function wp_delete_attachment( $post_id, $force_delete = false ) {
	⋮
	$meta = wp_get_attachment_metadata( $post_id );
	⋮
	if ( ! empty($meta['thumb']) ) {
		// Don't delete the thumb if another attachment uses it.
		if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
			$thumbfile = str_replace(basename($file), $meta['thumb'], $file);
			/** This filter is documented in wp-includes/functions.php */
			$thumbfile = apply_filters( 'wp_delete_file', $thumbfile );
			@ unlink( path_join($uploadpath['basedir'], $thumbfile) );
		}
	}
	⋮
}

The unlink() statement will delete the file contained in the media’s metadata named thumb. But, how is this meta filled? Let’s see that in /wp-admin/post.php:

⋮
switch($action) {
⋮
	case 'editattachment':
		check_admin_referer('update-post_' . $post_id);
		⋮
		// Update the thumbnail filename
		$newmeta = wp_get_attachment_metadata( $post_id, true );
		$newmeta['thumb'] = $_POST['thumb'];

		wp_update_attachment_metadata( $post_id, $newmeta );
⋮

The metadata is just the raw value of the user’s input from a form, no sanitization, no filter, no escaping, nothing.

Is it exploitable yet? Easily?

Sadly yes, in less than 1 minute an author can delete any file from the website like wp-config.php (one of the worst right?) but also an attacker could remove the main file of a security plugin to prevent it to be loaded, and then, perform deepest and more discreet attacks, because let’s say it, breaking a website as a hacker doesn’t worth it most of the time, defacing is a thing, stealing data is a thing, breaking is not.

Let’s see that in a 55 sec video:

You may already saw a video of the exploit, using the JavaScript console to inject hexadecimal code leading to create and call new JS functions and calling a new AJAX url, etc, WAY TOO MUCH, you only have to change 2 values + a last one for the file path you want to delete, that’s it.

How can I secure my website now?

If you’re already using SecuPress (free or pro version) 1.4.5.1 of more, your website is already secure because we included the following hotfix from Karim (with another function name to prevent duplicate names):

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);
    }

    return $data;
}

Install SecuPress now and secure your website in a minute!

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.