On Jun 26 an arbitrary file deletion vulnerability in the WordPress core was publicly disclosed, the vulnerability could allow an authenticated attacker to delete any file and in some cases execute arbitrary code.

WordPress is a free, popular, and open-source content management system currently powering over 30% of the known web. WordPress’s massive popularity makes it a desirable target for cybercriminals.

Who were affected

The vulnerability was fixed in version 4.9.7 of WordPress, released on July 5. In order to successfully exploit this issue, the attacker would have needed to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins.

Vulnerability impact

Attackers can leverage the way the WordPress installation mechanism works, to gain arbitrary code execution on the hosting server by deleting the wp-config.php file, triggering the installation process and allowing the attacker to reconfigure the site and take over the admin account.

The vulnerability can also be used to disable some security restrictions through the deletion of .htaccess files that could be enforcing some kind of restrictions, or index.php files that prevent directory listing.

The attacker can also take down the site by deleting one of the WordPress core files, causing an internal error on every request.

Breakdown

wp-admin/post.php



The code above is used to modify the media posts metadata.

As seen in the code the “thumb” property is set to $_POST[‘thumb’] that can contain any value the attacker wants, next, the wp_update_attachment_metadata function takes the $newmeta object and store it as a serialized object.

The reason the vulnerability requires the attacker to have authenticated user privileges is due to the cross-site request forgery (CSRF) protection enforced through the check_admin_referer function.

wp-includes/post.php



The purpose of the code above is to delete the media file thumbnail when the attachment is deleted, the function failed to sanitize the previously set thumb value, resulting in a second-order arbitrary file deletion vulnerability.

Imperva customers protected

Imperva SecureSphere (now Web Application Firewall) and Incapsula WAF (now Imperva Cloud Application Security) customers are protected from this attack due to our zero-day and path traversal rules. We also published a new dedicated security rule to provide maximum protection against possible mutations of this attack.