The presence of a critical remote execution flaw has been discovered in all the versions of WordPress that had been made over the last 6 years.
This hidden flaw was discovered by cybersecurity experts from RIPS Technologies GmbH who shared their findings and reported the abnormality to WordPress.
Vulnerabilities usually plague products of software and hardware companies as evidenced with Microsoft and Linux systems. But to have a flaw of this nature that remained undiscovered after several software updates seemed quite disturbing.
The expert disclosed that the remote code execution flaw can be exploited by an average hacker with an author account. The hacker could tap into the system using the combination of Path Traversal and Local File Inclusion that reside deep in the WordPress core.
While the requirement of an author account reduces the severity of the flaw to an extent, experienced attackers could get author privileges to exploit the system by using phishing, password reuse or any other form of attacks.
According to the researchers, an attack of the flaw takes a huge advantage of the way the software image management system that takes care of Post Meta entries that is used to store description, creator, size and other information of uploaded images.
They noted that an author can modify any meta entries of an image and set it to arbitrary values, leading to the Path Traversal Vulnerability.
When the Local File Inclusion in the theme directory is combined with Path Traversal, an arbitrary code could then be executed on the targeted server.
The researchers released a Proof-of-concept video who showed how it could be executed to assert control over a WordPress blog within seconds.
They further explained that the flaw was not exploitable in the WordPress 5.0.1 and 4.9.9 versions which did not permitted unauthorized users from setting arbitrary Post Meta entries.
They noticed that if a third-party plugin that incorrectly handle entries is installed, the server could still be exploited.
Users are advised to update their website to the latest WordPress 5.0.3 version for prevent attacks such as this.