Path Traversal and Local File Inclusion Vulnerabilities Lead to Remote Code Execution in WordPress

On February 19, RIPS Technologies published a blog [1] detailing the discovery of a Path Traversal and Local File Inclusion vulnerability in all WordPress core versions prior to 4.9.9 and 5.0.1. Entries within the wp_postmeta (known as “Post Meta”) database could be modified and set to arbitrary values. An attacker could use crafted evil files that result in Path Traversal and Local File Inclusion, which could lead to arbitrary code execution.

The vulnerabilities were reportedly present in WordPress for over the last six years. In order to exploit these vulnerabilities, an attacker would need to have access to a WordPress account with at least Author level permissions.

While the Local File Inclusion vulnerability has been addressed in WordPress versions 4.9.9 [2] and 5.0.1 [3], the Path Traversal bug remains unpatched and vulnerable WordPress plugins that mishandle Post Meta database entries could be exploited. According to RIPS Technologies, they’ve encountered plugins with “millions of active installations [that] do this mistake” before.

Tenable Web Application Scanning (WAS) and Nessus plugins that identify vulnerable WordPress versions are available here [4]. Additionally, the following Nessus plugin [5] identifies WordPress plugins that are outdated.

We will update this post when a patch for the Patch Traversal vulnerability is available.

[1] https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

[2] https://wordpress.org/support/wordpress-version/version-4-9-9/

[3] https://wordpress.org/support/wordpress-version/version-5-0-1/

[4] https://www.tenable.com/plugins/search?q=script_id%3A(98370%20OR%2098371%20OR%20119615)

[5] https://www.tenable.com/plugins/nessus/101841