Recently, we received a hint about an unpatched vulnerability in the WordPress core that could allow low-privileged users to hijack the entire Web site and execute arbitrary code on the server, the latest WordPress vulnerability that hackers can easily control your website. The researchers found that 7 months ago the WordPress security Team reported a "Certified Arbitrary file Deletion" vulnerability, but it was not fixed and affected all versions of WordPress, including the current 4.9.6. The vulnerability exists in one of the WordPress core features that run in the background when users permanently delete thumbnails of uploaded images.
The researchers found that thumbnail deletion could accept non-processed user input, and if the input was mitigated, it would allow at least the author's privileged users to remove any files from the network host, or only the server or site administrator should be allowed to do so. The requirement of at least one author account automatically reduces the severity of this vulnerability to some extent, which may be exploited by rogue content contributors or hackers who exploit phishing, password reuse, or other attacks to obtain the author's credentials in some way. The researchers said that exploiting the vulnerability could allow an attacker to remove any important files from the server, such as ". htaccess", which typically contains security-related configurations to attempt to disable protection. In addition, deleting the "wp-config.php" file, one of the most important configuration files in the WordPress installation that contains the database connection information, may force the entire Web site to return to the installation screen, allegedly allowing the attacker to reconfigure the site from the browser and take full control of it.
However, it should be noted that the attacker could not directly read the contents of the wp-config.php file to know the existing "database name", "MySQL user name" and its "password", so he can reset the target site under his control using the remote database server.
Once completed, an attacker could create a new administrator account and take full control of the site, including the ability to execute arbitrary code on the server. "In addition to removing the possibility of an entire WordPress installation, if there is no current backup available that could have disastrous consequences, an attacker could take advantage of any file deletion feature to circumvent some security measures and execute arbitrary code on the Web server," the researchers said.
In a proof-of-concept video published by researchers at the Eastern Alliance, a well-known hacker security organization in China, the vulnerability works perfectly as described and forces the site to reinstall the screen. However, as of now, Web site administrators should not panic as a result of this vulnerability, and can manually apply the official WordPress patch. We expect the WordPress security team to fix this vulnerability in the upcoming release of CMS software. (Hacker Weekly)
Latest WordPress bug, hackers can easily control your website