According to researchers at RIPS Technologies, a security analysis company, the core functions of WordPress execute a vulnerability, which may allow limited-privileged users and account hackers to not only run arbitrary/random code on the server, but also to delete important files. While it may sound trivial, these malicious acts can potentially lead to the entire website being hijacked.
Although the researchers claim that they informed the management of the said domain a few weeks ago regarding the flaw, still no action has been taken against it, and the latest version of WordPress, i.e. 4.9.6, continues to be affected by it.
The susceptibility lies in the “core deletion function” of the website, which accepts “unsanitized” user input. If interfered with, this could allow attackers to delete any file from the website, including the critical ones, like “.htaccess” and “wp-config.php” ones. The danger can somewhat be reduced by demanding an author account for deletion purposes, but this still cannot fully eliminate the issue. This is because the invader may get access to the credentials of the said account via phishing or other attacks.
The problem arises when .htaccess files are erased. Holding security related configurations, their deletion would disable protection from the site. Moreover, the removal of wp-config.php would force the website back to the installation screen, enabling the hacker to reconfigure the browser, update credentials (since he/she cannot directly read from the concerned file), shutting the admin out. With this, he/she would have complete, unhindered access to the site.
But for now, users need to not worry. The researchers also presented hotfix, which manually rectifies the problem. However, it is time that WordPress actually looks into this issue, and ensures that the upcoming versions are not affected by this flaw.
Although the researchers claim that they informed the management of the said domain a few weeks ago regarding the flaw, still no action has been taken against it, and the latest version of WordPress, i.e. 4.9.6, continues to be affected by it.
The susceptibility lies in the “core deletion function” of the website, which accepts “unsanitized” user input. If interfered with, this could allow attackers to delete any file from the website, including the critical ones, like “.htaccess” and “wp-config.php” ones. The danger can somewhat be reduced by demanding an author account for deletion purposes, but this still cannot fully eliminate the issue. This is because the invader may get access to the credentials of the said account via phishing or other attacks.
The problem arises when .htaccess files are erased. Holding security related configurations, their deletion would disable protection from the site. Moreover, the removal of wp-config.php would force the website back to the installation screen, enabling the hacker to reconfigure the browser, update credentials (since he/she cannot directly read from the concerned file), shutting the admin out. With this, he/she would have complete, unhindered access to the site.
But for now, users need to not worry. The researchers also presented hotfix, which manually rectifies the problem. However, it is time that WordPress actually looks into this issue, and ensures that the upcoming versions are not affected by this flaw.