A new WordPress security bug has been reported by specialists that affects a large percentage of the sites worldwide. This is one of the most popular platforms and the discovery of the vulnerability gives hackers the ability to execute arbitrary code. The initial report was submitted 7 months ago to the platform’s security team however it still remains unpatched. All versions of WordPress are affected.
Details About the New WordPress Security Bug
The initial security report was submitted to the WordPress team 7 months ago. As they have not yet patched the issues all sites are vulnerable, including those running the latest version 4.9.6. In order for the hackers to be able to intrude into the target sites they will need to gain the privileges to edit or delete media files. This allows hackers to take over any site as long as they have a registered account with a role as low as Author. The hackers can also intrude into the sites by using other exploits. As soon as the hackers gain access to the systems and execute the vulnerability they will be able to delete any file that is part of the WordPress installation. Any other file available on the site’s server that have the same permissions is also vulnerable.
The hackers can consequently delete the whole WordPress installation. This can render the site unable to function, especially if the system administrators have not enable automatic backups. The hackers can also opt to delete certain files and replace them with dangerous other instances. This allows them to execute arbitrary code. Special attention must be given to the modification of the following files:
- .htaccesss — In general deletion of this particular file by itself is not defined as a security risk. However if it explicitly contains instructions to (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Martin Beltov. Read the original post at: https://sensorstechforum.com/7-month-old-wordpress-bug-unpatched/