More threads by djbaxter

djbaxter

Administrator
Joined
Jun 28, 2012
Messages
3,778
Solutions
2
Reaction score
1,877
Arbitrary File Deletion Flaw Present in WordPress Core
by by Mikey Veenstra, WordFence.com
June 27, 2018

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.

By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.

It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.

Read more...

This is a limited vulnerability but any of you using multiple authors should double check your list of any users with roles Author and above (Author, Editor, Administrator; I'm unsure about SEO Editor, SEO manager, and Contributor but this is probably a good time to double check all your roles other than Subscriber) to make sure they are current and that anyone on that list is known to you and trustworthy.
 

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

LocalU Event

Trending: Most Viewed

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Top Bottom