Unpatched Vulnerabilities in WordPress Core
The year continues to get worse for the WordPress security team. A host of problematic plugins and stories of a new malware were just the beginning. Now, WordPress is getting a lot of heat for being unresponsive to potential flaws - especially when it comes to security patches needed for the WordPress core files
So, let's dive right in and see what's going on and why WordPress is making the news again for potentially harmful security flaws.
The Flaw in the Core
This story starts last November, 2017 when a group of WordPress security analysts found a potentially harmful flaw in the core of WordPress. As of June 26th, 2018 the WP core remains unpatched.
The security research team at RIPS found a vulnerability built into the core (not 3rd party themes or plugins) of WordPress. The attack vector — in its current state — allows remote attackers to hijack an entire WordPress website and inject malware or execute arbitrary code throughout.
The main issue here is that WordPress was made aware of this vulnerability a year ago, and they have not released a patch or even acknowledged the issue. All inquiries made into the reasons behind the lack of patching have been largely ignored by the WordPress security team.
How Does the Flaw Work?
The flaw lies in the PHP functions of WordPress and, more specifically, the elements of WordPress that allow a user to delete image thumbnails.
RIPS found that users who had access to posting rights could potentially delete some of the crucial elements of WordPress (namely wp-config.php) which then allows them to reinitiate a clean WordPress install - giving hackers a perfect opportunity to upload malicious software into the WordPress site. According to RIPS, the vulnerability impacts all WordPress CMS versions, including the latest version, v4.9.6.
Of course, the big news here being that they have to have posting rights. Unfortunately, users are already seeing right abuses and exploits in WordPress's current state (v 4.9.6.). So, this flaw allows anyone who abuses posting rights privileges to hijack the entire WordPress website. They are able, via remote code execution, to take over your WP admin, install custom scripts and inject the website with crypto-mining bots, bank trojans, and advertising malware.
If you would like to see how insanely easy it is for someone to hijack your WordPress website using this exploit, head over to RIPS twitter account. They posted a video of them doing it. Spoiler: It took them about 30 seconds.
Who's at Risk?
This is another one of those "every single WordPress website" risk levels. Since the issue lies in the core of WordPress itself and has yet to be patched, any WordPress website is at risk of being hijacked in WordPress's current state.
So, if you run a website using WordPress as your CMS, you are at risk.
We aren't sure when this issue will be patched. It's been almost a year now since the WordPress team was made fully aware of the issue, but, so far, nothing has been done to rectify it. The team hasn't even responded to questions about the issue. So we're going to assume that this issue is on WordPress's backburner (granted they do have a ton of issues happening right now.)
If you do use WordPress, you should be keeping a close eye on your user's permission to make sure that they aren't being exploited. Also, make sure that you give posting rights only to those who you trust and (preferably) personally know. And as always, ensure your website is continually updated with the latest security patches for both the WordPress core and developer plugins.
There isn't a way to be 100% sure that your website will not be the target of a hijack (especially given the current state of WordPress and WordPress plugins.)