Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WordPress File Delete to Code Execution
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WordPress File Delete to Code Execution

Hello,

Lately i have been working hard to migrate our clients from vestacp which got hacked twice to virtualmin, its port was already temporary blocked until further notice and i have finally decided to give our clients some old virutalmin instead and while doing so i have found this https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Lucky, you must have an account to execute this vuln else it would have been a disaster to every live WordPress.

Temp fix in your theme functions.php place this hook.

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

>

function rips_unlink_tempfix( $data ) {
if( isset($data['thumb']) ) {
$data['thumb'] = basename($data['thumb']);
}

>

return $data;
}

Thanked by 1ariq01

Comments

  • Yup, IIRC from a post, they knew about this since long time but haven't released a patch yet.

    Thanked by 1mohamed
  • update your WordPress guys, the issue has been fixed.

    https://codex.wordpress.org/Version_4.9.7

    WordPress versions 4.9.6 and earlier are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.

Sign In or Register to comment.