Unpatched Flaw Disclosed in WordPress CMS Core

By Catalin Cimpanu

Summary: According to Cimpanu, Web security researches from RIPS Tech announced a flaw in WordPress that would allow “users who have access to the post editor —and can upload or delete images (and their thumbs)— can insert malicious code in a WordPress site that deletes crucial files part of the WordPress CMS core, something that should not be possible in any way without access to the server’s FTP.”

In other words, this flaw allows low-level users to drastically overstep their bounds and cause damage to the site.

The Jonesen Take: The more accounts that have permission, the more accounts that can be exploited and used maliciously.  Our policy is to limit the number of accounts that have access to even the lowest level of permission for each site.  If you build a strong vault and then give everyone around a key, it’s not a secure as it could be.