Blog: PSA: Arbitrary File Deletion vulnerability in all current versions of WordPress

Update 20180705: version 4.9.7 has been released and addresses the issue below. 

RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPressThe vulnerability requires a role of Author or greater in order to exploit.  The exploit allows an authenticated user to delete any file on the server that the user account php runs under has access to.  A prime target for attackers will be the wp-config.php which will allow them to reinstall WordPress connected to a database they control. 

The current suggested fix is to hook the ` wp_update_attachment_metadata` filter action, and pass the thumb parameter through the basename function so that only the filename is returned.  The following snippet of code can be added to your theme’s function file:

add_filter('wp_update_attachment_metadata', function ($aryPostData){
    if (isset($aryPostData['thumb'])) {
        $aryPostData['thumb'] = basename($aryPostData['thumb']);
    return $aryPostData;

Alternatively, the snippet can be made into a plugin and either activated, or dropped into your must-use plugins directory. 

In addition, this a good reminder that you should audit your current user list and verify that every user on your site should have access, and that they have the appropriate roles assigned to them.  

Paul Gilzow

Programmer Analyst, University of Missouri@gilzow

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *

Login to WordPress