Very serious flaw discovered in Wordpress 4.9.6 and made public a few hours ago by a team of security experts (https://dewhurstsecurity.com/)
The team that discovered the flaw reported the results to WordPress seven months later, but after receiving no response, they decided to make it public so that developers could take action.
The flaw would allow an attacker to “inject” malicious code to allow the deletion of the wp-config.php file which contains all the information relating to a website (database credentials and other configurations).
By deleting this file Wordpress will be reinstalled overwriting the configuration file with a new one.
At the moment, an official patch has not been released by Wordpress, but surely in the next few hours there will be something official
The vulnerability and the way to use it is really simple, in a few steps you can get a devastating result (even if the data contained in the database would not be at risk as only the configuration file would be reset) potentially creating a very serious problem since Wordpress is the most used CMS in the world.
The same security experts have also published a temporary fix that must be implemented in the functions.php file of the graphic template used on WordPress
We advise anyone who has a WordPress-based website to take cover by making a backup copy of the site data.
For further information, please refer to the official website where the flaw was reported.
EDITORIAL TEAM
Choose the social channel you want to subscribe to