WordPress vulnerability that allows file deletion

Latest WordPress vulnerability disclosed and it poses a danger to all versions including 4.9.6

Yesterday a security research team from RIPSTECH disclosed WordPress vulnerability that affects all latest WordPress versions including the current 4.9.6 version. All information is now available on the RIPSTECH blog, and this vulnerability already has the Common Vulnerabilities and Exposures entry – CVE-2018-12895.

According to the vulnerability authors, this issue is known by WordPress security team for more than seven months. Here’s the full timeline since the day one:

  • 2017.11.20 – WordPress Vulnerability reported to the WordPress security team on Hackerone.
  • 2017.11.22 – The vulnerability was triaged and verified by the security team.
  • 2017.12.12 – Asked for progress.
  • 2017.12.18 – WordPress is working on a patch. Asked for the release date. No response.
  • 2018.01.09 – Asked for the release date. No response.
  • 2018.01.20 – Asked for mediation on Hackerone due to the severity of the issue and the lack of communication.
  • 2018.01.24 – The WordPress security team estimates the time to fix to be 6 months.
  • 2018.05.24 – Asked for progress and/or plans on the issue, and given a reminder that we would publish it soon. No response.
  • 2018.05.24 – Sent twitter DM to a member of the security team to make sure they do not overlook the message on Hackerone.
  • 2018.06.26 – The issue remains unpatched more than 7 months after reporting. Information disclosed.

More details on this WordPress vulnerability

  • It affects all latest versions including the current 4.9.6 release, and there is no patched version available to this date.
  • An attacker must have at least Author role or custom role with level privileges allowing him to edit and delete media files.
  • The vulnerability allows an attacker to delete any file of the WordPress installation, also any file on the server which PHP process user can delete (permissions to delete).
  • By deleting a .htaccess an attacker could gain access to files and folders that are typically protected by some custom rules of this particular .htaccess file.
  • By deleting an index.php file in some directories could allow seeing the structure of some directories protected from directory listing by those index.php files.
  • By deleting a wp-config.php file, an attacker could start new WordPress installation process on the same server and gain full access to database and file server.
  • The source code which makes this vulnerability possible and exploitable is in the wp-includes/post.php file.

Temporary solution to patch this WordPress vulnerability

You can add this code (below) to your functions.php file of the currently active theme/child-theme. This solution should keep your site safe against this newly discovered vulnerability until the next WordPress Security release. Remember this is a temporary solution so don’t forget to remove it when it becomes unnecessary.

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);

    return $data;

All users of our WordPress Security plugin are notified about this vulnerability by email or by the message in WordPress dashboard since we have added this vulnerability entry to our database of WordPress vulnerabilities yesterday.

Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *