How To Protect Your Website From The New WordPress Core Vulnerability

No platform is truly secure. It’s a truth that’s well worth remembering. Even WordPress Core, for all that it’s touted and praised, likely has undiscovered vulnerabilities.

The trick isn’t finding a platform that’s ironclad - no such platform exists. Rather, it’s training yourself to respond quickly and effectively when a new vulnerability surfaces. Case in point, last week security firm RIPS published a blog post that revealed a particularly nasty flaw present in every version of WordPress to date.

The vulnerability, which the firm claims to have reported seven months ago to the WordPress Security Team, remains unpatched. Per the firm, exploiting it grants an attacker the ability to delete any file in a WordPress installation (and any other file on the server that the WordPress site’s owner has the permissions to delete). This could potentially allow someone to completely wipe someone’s WordPress installation.

But it goes beyond that.

By deleting critical files such as .htaccess, index.php, or wp-config.php, an attacker could execute arbitrary code on the WordPress installation’s web server. This could allow them to completely circumvent built-in security measures, see a listing of all files in all directories, or even hijack the WordPress site by reinstalling WordPress and establishing themself as an administrator.

According to RIPS, the vulnerability is linked to a function named unlink(), which is part of the wp_delete_attachment() function in the post.php file. The purpose of both functions is to delete thumbnails associated with images. The problem is that when unlink () is called, one of the values - specifically $meta[‘thumb’], associated with the metadata for deleted thumbnails - isn’t sanitized.

In other words, there are no checks to ensure the value actually represents the thumbnail. Fortunately, RIPS has released a temporary hotfix for the vulnerability, which should suffice until WordPress patches it.  Simply paste the code snippet below into your functions.php file:

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
   if( isset($data['thumb']) ) {
       $data['thumb'] = basename($data['thumb']);

   return $data;

It’s important to note that the firm has advised caution when applying this fix, and emphasized that it’s only a temporary preventative measure. It merely stop the vulnerability from deleting any security-critical files. It does not eliminate the vulnerability altogether.

Here’s the good news - a user account is required to actually exploit this vulnerability. Provided all your accounts have strong passwords and you're not hosting any unnecessary or inactive accounts, you should be fine. Otherwise, it might be worthwhile to apply the patch - and to double-check that your users are all secure.

Sign in to Client Area