WordPress vulnerability, all versions: Check your Author and higher role permissions

[djbaxter]

Arbitrary File Deletion Flaw Present in WordPress Core
by by Mikey Veenstra, WordFence.com
June 27, 2018

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server.

By exploiting this arbitrary file deletion vulnerability, malicious actors can pivot and take control of affected sites. The report contains the complete details of the vulnerability, but we’ve summarized it for more casual consumption.

It’s important to note that while the impact of this flaw can be severe on affected sites, the requirement that attackers secure valid Author-level credentials greatly limits the overall attack surface of this vulnerability.

Read more...

This is a limited vulnerability but any of you using multiple authors should double check your list of any users with roles Author and above (Author, Editor, Administrator; I'm unsure about SEO Editor, SEO manager, and Contributor but this is probably a good time to double check all your roles other than Subscriber) to make sure they are current and that anyone on that list is known to you and trustworthy.