Skip to main content

Major Wordpress security flaw discovered

(Image credit: Image Credit: David M G / Shutterstock)

Popular website builder WordPress was affected by a major security flaw that went unpatched for six years.

The flaw, which was rendered unexploitable, allowed attackers to execute arbitrary code on the server.

They could do that because of the way WordPress image management system handles Post Meta entries used to store description, size, creator, and other meta information of uploaded images.

Any registered WordPress user can modify entries associated with an image and set them to arbitrary values. This leads to what's known as the Path Traversal vulnerability.

The trick with this vulnerability is that the attacker needs to have a registered account on the WordPress blog which, in a way, reduces the threat level.

However, it was said that it still poses a serious risk because login credentials could be obtained through phishing, or trying out the victim's old passwords for credential recycling.

Simon Scannell, a researcher at RIPS Technologies GmbH which uncovered the flaw (opens in new tab), says the code execution attack became non-exploitable in WordPress versions 5.0.1 and 4.9.9 after patch for another vulnerability was introduced.

"An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover," Scannell says.

The Path Traversal flaw is still unpatched, it was added.

Image Credit: David M G / Shutterstock

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.