Critical RCE Vulnerability Hiding WordPress Core
Security researchers at RIPS Technologies GmbH have published research about a critical remote command execution (RCE) in WordPress 5.0. This issue affects all the previous released versions in the past 6 years.
In order to exploit the vulnerability, the attacker needs an account with “author” privileges and the exploitation of two separate vulnerabilities such as a path traversal and local file inclusion that reside in the WordPress core.
According to Simon Scannell, a researcher at RIPS Technologies GmbH, the root cause is the way WordPress image management system handles Post Meta entries to store metadata information of uploaded images. Simon also explained that the Path Traversal vulnerability occurs when an author account modifies any entries associated with an image and set them to arbitrary values. This issue in combination with a local file inclusion flaw on the theme directory could allow command execution on the server.
The non-affected WordPress versions are 5.0.1 and 4.9.9. However, it is important to note that the Path Travel issue is still unpatched on the latest WordPress version. Simon said that WordPress will include a fix in the next release.
For more technical references on remediation guidance, please visit the following: WordPress 5.1.1 Security and Maintenance Release.