WordPress recently patched a long-running, potentially serious vulnerability in its core code. But a similar flaw in third-party plugins could still allow hackers to take over websites that use the popular publishing software, according to German web security company RIPS Technologies.
Exploiting the vulnerability requires an attacker to have access to an account with “author” privileges for the target website — a common designation for WordPress users. Once logged in, a hacker could manipulate how WordPress reads and writes files in its image database, essentially tricking the software into saving a malicious script file into a directory that typically handles photos.
“An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” RIPS researcher Simon Scannell wrote in a blog post Tuesday.
The bug — which RIPS is categorizing as a “path traversal” vulnerability — is exploitable WordPress instances prior to version 4.9.9 and has been for as long as six years, the researchers said, noting that the software runs on about one-third of all websites.
Even if all WordPress websites patched their core code, though, the software would still be vulnerable to the flaw via plugins, Scannell wrote.
“Any WordPress site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible,” the RIPS team said, referring to the part of the code that handles image metadata. … Considering that plugins might reintroduce the issue and taking in factors such as outdated sites, the number of affected installations is still in the millions,” Scannell wrote.
WordPress plugins have recently been in the news for vulnerabilities. Last week the Simple Social plugin was patched for a flaw that could have affected 40,000 websites, and in November, a serious bug was found in a plugin related to compliance with Europe’s new data protection rules.