New Vulnerability Puts Countless of WordPress Websites at Risk
A Secarma researcher said this week that a vulnerability in WordPress that has been left unpatched for about a year has the potential to compromise a countless number of websites.
Researcher Sam Thomas revealed at the BSides technical cyber security conference that the bug can allow attackers to exploit WordPress’ PHP framework. Thomas says the core vulnerability is found within the wp_get_attachment_thumb_file function in /wpincludes/post.php and can be triggered when attackers gain control of a parameter used in the “file_exists” call,”. It was noted that attackers can potentially execute malicious code in a compromised system.
Secarma had already alerted WordPress in February 2017, but the CMS provider has not yet taken any action.