A recently discovered vulnerability, called the “Zero Day” vulnerability, was discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on a webserver.
A Finland-based security firm called Klikki Oy discovered the issue and posted it on their blog this past Sunday.
“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Klikki Oy. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”
Pynnonen said the best solution until a patch is made available is to disable comments and not approve any.
Pynnonen said he has reported in November another vulnerability to WordPress that has yet to be patched, despite requesting updates directly, via the HackerOne bounty platform and through Finland’s CERT.
“Communication with WordPress developers has been difficult,” Pynnonen said. “They simply seem to ignore all inquiries. There has been no explanation as to why the bug is still not fixed. It was supposed to happen in November. All WordPress versions are still vulnerable.”