For your WordPress protection, be informed about the NEW UNPATCHED WordPress Core vulnerability. Publicly known since its first official report on June 26, 2018 or it’s official disclosure 7 months ago. All versions of WordPress starting with the latest 4.9.6 and below have the Authenticated Arbitrary File Deletion vulnerability.
WordPress <= 4.9.6 – Authenticated Arbitrary File Deletion (unpatched)
type: UNKNOWN: (unpatched)
- WordPress <= 4.9.6 Arbitrary File Deletion Vulnerability Exploit
- WARNING: WordPress File Delete to Code Execution
- WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion (unpatched)
Impact – What can an attacker do:
Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation (+ any other file on the server on which the PHP process user has the proper permissions to delete). Besides the possibility of erasing the whole WordPress installation, which can have disastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the server. More precisely, the following files can be deleted:
- .htaccess: In general, deleting this file does not have any security consequences. However, on some occasions, the .htaccess file contains security-related constraints (e.g., access constraints to some folders). Deleting this file would deactivate those security constraints.
- index.php files: Oftentimes empty index.php files are placed into directories to prevent directory listing for the case the server fails to do so. Deleting those files would grant an attacker a listing of all files in directories protected by this measure.
- wp-config.php: Deleting this file of a WordPress installation would trigger the WordPress installation process on the next visit to the website. This is due to the fact that wp-config.php contains the database credentials, and without its presence, WordPress acts as if it hasn’t been installed yet. An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.
For your WordPress protection, be informed about an older WordPress Core vulnerability IS STILL UNPATCHED since it’s first official report January 29, 2018 or it’s official disclosure date: Monday, February 5, 2018. All versions of WordPress starting with the latest 4.9.5 and below have the Application Denial of Service (DoS) type vulnerability.
WordPress <= 4.9.5 – Application Denial of Service (DoS)
fixed in version: (unpatched)
- WordPress Core Vulnerability February 2018