A security researcher from RipsTech, have uncovered a critical Remote Code Execution bug on WordPress CMS that affects all previous versions of WordPress content management software released in the past 6 years.
The blog post RipsTech showed that this bug can be exploited by the attacker with at least author privilege on the target WordPress by the chaining the two vulnerabilities - Path Transversal and Local File Inclusion, that resides on the WordPress core to gain the code execution on the server.
Furthermore, Simon Scannell from RipsTech noted that the code execution attack became non-exploitable in WordPress versions 4.9.9 and 5.0.1 after patch for another vulnerability was introduced which prevented unauthorized users from setting arbitrary Post Meta entries. But the Path Transversal bug is still unpatched.
On Wordpress, low privilege users (Author) modify any entries associated with an Image and set them to arbitrary values, where Post Meta entries will be overwritten which will lead to a Path Traversal later.
The idea is to set _wp_attached_file to evil.jpg?shell.php, which would lead to a HTTP request being made to the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request would return a valid image file, since everything after the ? is ignored in this context. The resulting filename would be evil.jpg?shell.php.The researcher also shares the video demonstrating the vulnerabilities with the author privileged users.
The vulnerabilities have been reported to WordPress Security team via Hackerone, and they have half fixed it. The complete fix will be addressed on the next release of WordPress.