Popular website builder WordPress was affected by a major security flaw (remote code vulnerability) that went unpatched for six years.
The security flaw, which was rendered unexploitable, allowed attackers to execute arbitrary code on the server. They could do that because of the way WordPress image management system handles Post Meta entries used to store description, size, creator, and other meta information of uploaded images.
Any registered WordPress user can modify entries associated with an image and set them to arbitrary values. This leads to what's known as the Path Traversal vulnerability. The trick with this vulnerability is that the attacker needs to have a registered account on the WordPress blog which, in a way, reduces the threat level.
However, it was said that it still poses a serious risk because login credentials could be obtained through phishing, or trying out the victim's old passwords for credential recycling.
Simon Scannell, a researcher at RIPS Technologies GmbH which uncovered the flaw, says the code execution attack became non-exploitable in WordPress versions 5.0.1 and 4.9.9 after patch for another vulnerability was introduced.
"An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover," Scannell says. The Path Traversal flaw is still unpatched, it was added.
Ashco Systems security operations team has more than a decade of experience in this industry and have dealt with thousands of websites vulnerabilities. Contact us if you need an automated approach to detect and block any zero day vulnerabilities and improve user experience for your website.