CVE-2018-12895 in WordPress
Summary
by MITRE
WordPress through 4.9.6 allows Author users to execute arbitrary code by leveraging directory traversal in the wp-admin/post.php thumb parameter, which is passed to the PHP unlink function and can delete the wp-config.php file. This is related to missing filename validation in the wp-includes/post.php wp_delete_attachment function. The attacker must have capabilities for files and posts that are normally available only to the Author, Editor, and Administrator roles. The attack methodology is to delete wp-config.php and then launch a new installation process to increase the attacker's privileges.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/29/2023
This vulnerability represents a critical directory traversal flaw in WordPress versions up to 4.9.6 that allows authenticated users with author privileges to execute arbitrary code through manipulation of the thumbnail parameter in the wp-admin/post.php endpoint. The vulnerability stems from insufficient input validation within the wp_delete_attachment function located in wp-includes/post.php, where the thumb parameter is directly passed to the PHP unlink function without proper sanitization. The attack vector specifically targets the unlink function which, when supplied with maliciously crafted path traversal sequences, can delete critical system files including wp-config.php. This represents a significant privilege escalation vulnerability classified under CWE-22 as Directory Traversal, where improper validation of user-supplied input allows attackers to manipulate file system operations beyond intended boundaries. The vulnerability specifically affects WordPress installations where users have author-level permissions, which typically include capabilities for creating and editing posts, as well as uploading and managing media files. Attackers exploit this by leveraging their author privileges to manipulate the thumb parameter in the post.php administrative endpoint, enabling them to construct malicious file paths that target wp-config.php. This file deletion creates an opportunity for privilege escalation since WordPress will automatically initiate a new installation process when the configuration file is removed, allowing attackers to gain elevated privileges through the installation interface. The exploitation process demonstrates characteristics of ATT&CK technique T1068 which involves the use of local privilege escalation techniques through application vulnerabilities, and T1078 which covers valid accounts usage for persistence and privilege escalation. The vulnerability highlights a fundamental flaw in WordPress's file handling mechanism where the wp_delete_attachment function fails to properly validate file paths against system boundaries, allowing attackers to bypass normal file system access controls. This issue is particularly concerning because it requires minimal privileges to exploit, as author roles are commonly granted to users who should not have system-level file manipulation capabilities. The impact extends beyond simple file deletion to encompass complete system compromise through the installation process, making this vulnerability particularly dangerous for WordPress installations where author-level accounts are not properly restricted. Organizations using WordPress versions prior to 4.9.7 should consider this vulnerability as a high-priority security concern, as it provides attackers with a straightforward path to escalate privileges and potentially gain complete control over the WordPress installation. The vulnerability also demonstrates the importance of proper input validation and the principle of least privilege in web application security, where even seemingly benign file operations can become dangerous when input validation is insufficient. The attack methodology specifically requires that the attacker possess the capability to create and modify posts, which is typically granted to author accounts, making this vulnerability particularly relevant for sites with multiple authors or contributors who may not be fully trusted. This vulnerability underscores the critical importance of validating all user-supplied input in web applications and demonstrates how seemingly innocuous functions can become attack vectors when proper security controls are not implemented. The flaw represents a failure in the application's defense in depth strategy, where multiple layers of validation should have prevented the malicious path traversal from reaching the file system operations. Organizations should implement immediate mitigations including upgrading to WordPress 4.9.7 or later, implementing additional input validation controls, and ensuring that proper access controls are in place to limit the capabilities of lower-privilege users. The vulnerability also emphasizes the need for regular security audits and the importance of keeping all software components updated to prevent exploitation of known vulnerabilities that could lead to complete system compromise.