WARNING: WordPress File Delete to Code Execution

26 Jun 2018 by Slavco Mihajloski, Karim El Ouerghemmi
WordPress Unlink to RCE

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public.

Read More ...