The vulnerability was found in the PHP functions that remove thumbnails for images uploaded on a WordPress site

Researchers have discovered an unpatched security flaw in Wordpress that can allow a low-privileged user to take control over the entire website and execute arbitrary code on the server.

Vulnerability and how can it be exploited?
The vulnerability was found in the PHP functions that remove thumbnails for images uploaded on a WordPress site.

The vulnerability was reported 7 months ago to the WordPress security team but remains unpatched and affects all versions of WordPress, including the current version i.e 4.9.6.

According to the researchers, the thumbnail delete function accepts unsanitized user input, which if tempered, could allow users with low privileges to delete any file from the website, which in normal cases is only allowed to the admin.

Besides this, if the user manages to delete “wp-config.php” file (contains database connection information), it could take the website back to the installation screen, thus, allowing the attacker to reconfigure the website from the browser and take over its control completely.

Researchers have released a Temporary fix i.e a PHP code that admin can add to the functions.php file. The fix makes sure that provided for the meta-value thumb does not contain any parts making path traversal possible.