WordPress Security for Wibble Clients: File Delete to Code Execution Vulnerability

On June 26 a blog post was released on the Ripstech security website detailing an un-patched vulnerability in the WordPress core effecting every version from WordPress version 0.70 to the current 4.9.6. It detailed an exploit that a user can delete any file of the WordPress installation – this includes wp-config.php, so is a major issue effecting the WordPress core.

It was later added to the WordPress vulnerability database, and so far remains un-patched.

How this can be exploited

In basic terms – lots! If the user has admin rights of author or higher, which means they can add or edit media through the media library, they can carry out the exploit. The user could delete the wp.config.php or any required WordPress files at his or her discretion. They could also delete security configuration files or server files to remove any security restraints that are in place.

The effect on Wibble sites

We have audited all sites that Wibble manages and there are no reasons for concern. As we are managed WordPress hosting and maintenance specialists, we do not allow users to be added to a WordPress site without being vetted. As there is no way to remotely exploit this, it would require a user that has been granted access to the site to then manually carry out the exploit and as one security expert stated “Why would you have someone as an author+ that you don’t trust, anyways?”. We monitor all user additions for our clients and there are none that are not vetted for access.

Next steps

The issue has been logged and will likely be patched with the next update to WordPress. Any Wibble clients that are on the Wibble Support Package will have their sites patched and tested automatically by Wibble after the next release.