{"id":1423,"date":"2018-06-28T23:09:30","date_gmt":"2018-06-28T23:09:30","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=1423"},"modified":"2018-06-28T23:09:30","modified_gmt":"2018-06-28T23:09:30","slug":"arbitrary-file-deletion-vulnerability-in-wordpress-core","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/","title":{"rendered":"Arbitrary File Deletion Vulnerability in WordPress Core"},"content":{"rendered":"<p>RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version including the current version is affected. After an attacker gains the privileges to edit and delete media files, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author. An attacker could exploit this vulnerability to completely take over the WordPress site and to execute arbitrary code on the server.<\/p>\n<p>At the time of writing no patch preventing this vulnerability is available.<\/p>\n<p>Links: <a href=\"https:\/\/blog.ripstech.com\/2018\/wordpress-file-delete-to-code-execution\/\">https:\/\/blog.ripstech.com\/2018\/wordpress-file-delete-to-code-execution\/<\/a><\/p>\n<p>https:\/\/www.bleepingcomputer.com\/news\/security\/unpatched-flaw-disclosed-in-wordpress-cms-core\/<\/p>\n<h2>Affected Versions<\/h2>\n<p>WordPress version &lt;= v.4.9.6<\/p>\n<h2>Unaffected Versions<\/h2>\n<p>None<\/p>\n<h2>Description<\/h2>\n<p>An arbitrary file deletion vulnerability occurs when unsanitized user input is passed to a file deletion function. In PHP this happens when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which represents the path of the file to delete, without undergoing proper sanitization.<br \/>\nThe code section which made this vulnerability possible in the WordPress Core is found in the wp-includes\/post.php file.<\/p>\n<h2>Workaround<\/h2>\n<p>WordPress has not released any patch to fix this vulnerability. Users are recommended to\u00a0pay close attention on updates at <a href=\"https:\/\/wordpress.org\/download\/\">https:\/\/wordpress.org\/download\/.<\/a><\/p>\n<p>RIPS researchers provided a temporary fix that can be integrated into an existing WordPress installation by adding it to the functions.php file of the currently active theme\/child-theme. For details, please visit <a href=\"https:\/\/blog.ripstech.com\/2018\/wordpress-file-delete-to-code-execution\/\">https:\/\/blog.ripstech.com\/2018\/wordpress-file-delete-to-code-execution\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version including the current version is affected. After an attacker gains the privileges to edit and delete media files, the vulnerability can be used to escalate privileges attained through the takeover of an account with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7769,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[7],"tags":[],"class_list":["post-1423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-events"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-28T23:09:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minuto\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Arbitrary File Deletion Vulnerability in WordPress Core\",\"datePublished\":\"2018-06-28T23:09:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/\"},\"wordCount\":259,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/WordPress.png\",\"articleSection\":[\"Global Events\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/\",\"name\":\"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/WordPress.png\",\"datePublished\":\"2018-06-28T23:09:30+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/WordPress.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/WordPress.png\",\"width\":668,\"height\":388,\"caption\":\"WordPress logo with text underneath.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/arbitrary-file-deletion-vulnerability-in-wordpress-core\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Arbitrary File Deletion Vulnerability in WordPress Core\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS","og_description":"RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version","og_url":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/","og_site_name":"NSFOCUS","article_published_time":"2018-06-28T23:09:30+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS","twitter_description":"RIPS Technologies (www. www.ripstech.com\/) published an arbitrary file deletion vulnerability in the WordPress core on 26 June 2018. Any WordPress version","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"1 minuto"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Arbitrary File Deletion Vulnerability in WordPress Core","datePublished":"2018-06-28T23:09:30+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/"},"wordCount":259,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","articleSection":["Global Events"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/","url":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/","name":"Arbitrary File Deletion Vulnerability in WordPress Core - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","datePublished":"2018-06-28T23:09:30+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2018\/06\/WordPress.png","width":668,"height":388,"caption":"WordPress logo with text underneath."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/arbitrary-file-deletion-vulnerability-in-wordpress-core\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Arbitrary File Deletion Vulnerability in WordPress Core"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/1423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=1423"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/1423\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/7769"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=1423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=1423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=1423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}