At the end of July 2018, RIPS specialists told about new vulnerability in WordPress. The problem that was discovered was related to the fact that any registered user (even User or Author rights will suffice) with access to the post editor can also upload and delete images and previews for them. As a result, such a user is able to inject arbitrary malicious code into WordPress and delete files critical for the operation of the CMS, which under normal conditions should only be available to the administrator on the server or via FTP. The researchers warned that by exploiting this bug, an attacker, for example, could delete the wp-config.php file. After that, he gets the opportunity to re-initiate the CMS installation process using his own settings and, for example, force the vulnerable site to distribute malware or other malicious content.
When the problem was announced publicly, there was no patch for this flaw yet, although it was reported that the WordPress developers were informed about the bug back in November of last year.
Dangerous vulnerability solved detail study by Wordfence experts who developed a PoC exploit to study the attack and the corresponding security rule for their firewall. In the course of this analysis, a second, “adjacent” vulnerability was identified, which is also critical and allowed deleting arbitrary CMS files due to incorrect operation of the upload-attachment AJAX action, which is used to download media content. The efforts of Wordfence specialists were not in vain. The WordPress developers did not plan to release the update before the end of July, but the potential danger of the discovered bugs forced them to change plans. Now all users are advised to update WordPress to the latest version 4.9.7 as soon as possible, as critical vulnerabilities pose a threat to all versions of the CMS, including WordPress 4.9.6.