Experts found a Remote Code Execution flaw in WordPress 5.0.0

guest · Feb 20, 2019

Experts found a Remote Code Execution flaw in WordPress 5.0.0
February 20, 2019
https://securityaffairs.co/wordpress/81393/hacking/wordpress-5-0-0-rce.html

Security experts at RIPS Technologies GmbH disclosed a critical remote code execution vulnerability in versions of WordPress prior 5.0.3, that remained uncovered for 6 years.

The experts discovered that the flaw could be exploited by an attacker who gains access to an account with at least ‘author‘ privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

The flaw is the chain of a Path Traversal and Local File Inclusion vulnerability that lead to Remote Code Execution in the WordPress core and full remote takeover.
The experts reported the issue to WordPress developers, but the bug is still unpatched.
Click to expand...

“However, the Path Traversal is still possible and can be exploited if a plugin is installed that still allows overwriting of arbitrary Post Data. Since certain authentication to a target WordPress site is needed for exploitation, we decided to make the vulnerability public after 4 months of initially reporting the vulnerabilities.” concludes the experts.

WordPress would address the vulnerability with the next release.
Click to expand...

Log in or Sign up

Experts found a Remote Code Execution flaw in WordPress 5.0.0

guest Guest

Log in or Sign up

Experts found a Remote Code Execution flaw in WordPress 5.0.0

guest Guest

Useful Searches