
Unpatched WordPress vulnerability allows code execution for authors - martinbdz
https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
======
prophesi
"2018/01/24: The WordPress security team estimates the time to fix to be 6
months."

RIPS could have at least waited one more month. It sounds like Wordpress gave
their HackerOne extension deadline.

Also, lots of typos and bad wording in the article makes it look even less
professional. For instance, if I didn't know the context, the following
sentence makes absolutely no sense:

"The value of $_POST[‘thumb’] could hold the, to the WordPress upload
directory relative, path of any file, and when the attachement gets deleted,
the file will get deleted with it as seen in the first listing."

~~~
griffinmb
It has been more than 7 months since the issue was reported, I don't see how
this lacks professionalism. They even created a temporary fix.

~~~
prophesi
The unprofessional part is disclosing the issue publicly 5 months after the
company estimated it would take them 6 months to fix it.

It's a bit ridiculous that such a high-risk bug could be given so much time
for it to be fixed, but that's how HackerOne's guidelines go.
[https://www.hackerone.com/disclosure-
guidelines](https://www.hackerone.com/disclosure-guidelines)

(I'm personally a fan of a tiered system wherein high-risk bugs have a hard
deadline of 3 months or less before public disclosure, and medium/low risk
bugs a much longer deadline)

------
Fellshard
Another day, another WordPress vulnerability.

And people still justify using it 'because it's easy and simple for non-tech
folks.' The non-profit world is _riddled_ with it.

~~~
justaman
The more time I spend in IT the more I appreciate extreme simplicity. Sure
wordpress claims to be simple for the average user, but its always whats under
the hood that counts.

~~~
Fellshard
I'm all for actual simplicity, not a facade of simplicity over complex and
inscrutable internals.

------
amaccuish
I've put my wordpress behind a firewall, in a docker container, and mirror it
with wget to my actual webserver, serving the static files. I sleep better at
night.

------
claudiulodro
> case 'editattachment':

> check_admin_referer('update-post_' . $post_id);

Seems like you wouldn't be able to actually use this vulnerability without a
valid nonce, so I don't see how you would trigger this unless you have some
sort of malicious plugin also installed on the site . . ?

~~~
joe_hills
Some sites have plugins that allow users to create accounts with minimal
permissions.

An attacker could create such an account, then abuse a legitimate nonce to
delete files.

~~~
jajern
Not sure why someone would do this, but even without a plugin you can go to
General Settings and set New User Default Role to Author. This would give any
new accounts the ability to exploit this.

