SB2018081701 - Remote PHP code execution in WordPress
Published: August 17, 2018 Updated: November 1, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Insecure deserialization (CVE-ID: CVE-2018-1000773)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insecure deserialization of data passed as an image file and then executed via the "phar://" stream wrapper within the "wp_get_attachment_thumb_file" function in "/wpincludes/post.php" script. A remote authenticated attacker with ability to create/edit posts can upload a malicious image and execute arbitrary PHP code on vulnerable system.
2) Resource management error (CVE-ID: CVE-2018-14028)
The vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to the plugin extractor does not clean extracted files from predictable location (e.g. wp-content/uploads) within the webroot directory in case plugin extraction fails. A remote attacker can leverage this directly access and run extracted PHP files on the website.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires specific WordPress/system configuration and user interaction.
Remediation
Install update from vendor's website.
References
- https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
- https://core.trac.wordpress.org/ticket/44710
- https://github.com/rastating/wordpress-exploit-framework/pull/52
- https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/