- THIS SECURITY ISSUE WAS RESOLVED WITH THE LATEST WORDPRESS RELEASE
This vulnerability affects the WordPress core, and not any plugin or theme. More precisely, the flaw was found in a PHP function that deletes thumbnails for images uploaded on a WordPress website. This flaw allows for the insertion of malicious code which may traverse the servers’ directories allowing for the deletion of crucial files. Something which isn’t possible without FTP or server access.
The severity of this vulnerability is reduced by the fact that only users of a certain access level (Author or higher) can attempt an exploit. However, if an attacker manages to register even a low-level “Subscriber” account on a site and then elevates its privileges, they can exploit this vulnerability to hijack the site.
Thanks to the security researchers over at RIPSTECH, they not only disclosed this issue but they also created and provided a temporary hotfix.
Security Flaw Solution
The RIPSTECH quick fix may be integrated into an existing WordPress installation by adding the following code to your
functions.php file of the currently active theme or child-theme.
** WordPress File Delete Temporary Hotfix
** Removes ability of user traversing directories when removing thumbnails
** Discovered and patched by RIPSTECH - Thank you!
add_filter( 'wp_update_attachment_metadata', 'dir_traverse_unlink_tempfix' );
function dir_traverse_unlink_tempfix( $data )
if( isset( $data['thumb'] ) )
$data['thumb'] = basename( $data['thumb'] );
Should you need assistance implementing the above quick fix on your existing WordPress website simply reach out to us at (239) 961-8285
We hope this article has helped you security your WordPress website. If this article was helpful please take a moment to like us on Facebook, share this on your social media or buy us a cup of coffee.