July 9, 2018

On June 26, 2018, a critical WordPress vulnerability was detected. It allowed the attackers to delete any file in the installation package.

What exactly can the attackers do with this WordPress vulnerability?

All WordPress versions prior to 4.9.7 can be attacked due to this issue. Also, with this error, the attackers can delete all media files in your installation. More than that, this vulnerability can be used to get privileges from a subscriber to an author. This allows the attackers to publish all kinds of posts on your WordPress site, you can only imagine what.

Tech issue that can be caused by this attack.

Attackers can delete a few critical files:

• .htaccess – this file is responsible for routing in clear urls/permalinks – without this file, all users will see the home page only
• index.php – core file that is the first one on execution – without this file, your WP site cannot work at all
• wp-config.php – configuration file, that stores an access to the database and etc – without this file, your site will show an error, or start the installation process from scratch

Hot fix for the issue

If for some reason you cannot update your WordPress website to the latest version (right now 4.9.7), you can manually apply the hot fix.

In your theme, in the functions.php file, apply this code below:

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);
    }

    return $data;
}

This code will prevent unescaped user input.

If you need assistance in updating your WordPress website, let us know!