Remote PHP code execution in WordPress
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-1000600 CVE-2018-1000773 CVE-2018-14028 |
| CWE-ID | CWE-502 CWE-399 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
WordPress Web applications / CMS |
| Vendor | WordPress.ORG |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Insecure deserialization
EUVDB-ID: #VU14439
Risk: Medium
CVSSv3.1: 6.8 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]
CVE-ID: CVE-2017-1000600,CVE-2018-1000773
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insecure deserialization of data passed as an image file and then executed via the "phar://" stream wrapper within the "wp_get_attachment_thumb_file" function in "/wpincludes/post.php" script. A remote authenticated attacker with ability to create/edit posts can upload a malicious image and execute arbitrary PHP code on vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsWordPress: 4.9 - 4.9.8
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Resource management error
EUVDB-ID: #VU15401
Risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]
CVE-ID: CVE-2018-14028
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to the plugin extractor does not clean extracted files from predictable location (e.g. wp-content/uploads) within the webroot directory in case plugin extraction fails. A remote attacker can leverage this directly access and run extracted PHP files on the website.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires specific WordPress/system configuration and user interaction.
MitigationInstall update from vendor's website.
Vulnerable software versionsWordPress: 4.9 - 4.9.8
External linkshttp://core.trac.wordpress.org/ticket/44710
http://github.com/rastating/wordpress-exploit-framework/pull/52
http://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
