Experts from RIPS Technologies
discovered a vulnerability in WordPress that allows arbitrary PHP code to be executed on the server and affects almost all CMS versions released in the last 6 years.
The problem is a combination of two separate bugs: Path Traversal and Local File Inclusion. The root of the vulnerability lies in the way the WordPress image management system handles Post Meta records, which store information about the description, size, image creator, and other meta data of uploaded images. Due to a bug, it was possible to modify these entries by assigning arbitrary values to them and performing a directory traversal attack.
Fortunately, there is good news: in order to exploit the bug, the attacker needs to have an account of the “Author” level, and unauthenticated exploitation of the vulnerability is impossible.
A demonstration of the attack can be seen in the video below.
The WordPress developers have already prepared a patch, however, it is not yet available to the general public. At the same time, RIPS Technologies experts explain that the vulnerability cannot be exploited already in versions newer than 5.0.1 and 4.9.9, since fixes for other problems prevent the bug from being exploited in full. However, the directory bypass vulnerability is still relevant.